• The Italian Data Processing Authority is raising an alarm over privacy of Tik Tok App
  • The case will be discussed at the end of February by the EDPB, the European data processing authorities body
  • Tik Tok is the latest messaging/social network success, owned by ByteDance, a Beijing-based company founded in 2012

The Italian authority for Privacy (GPDP) has launched a co-ordinated action to review the risks linked with the TikTok app – an attempt to protect children’s privacy rights. TikTok is a social network that allows creating and sharing audios, videos, and pictures, used by millions of mostly young users worldwide.

The Italian DPA is calling on the European Data Protection Board (EDPB) to set up an ad-hoc task force – the EDPB it the body that represents all EU data protection authorities. The topic could have clear ramification across all international apps – currently the principles of European GDPR regulations are clear, but they are not easily applied/reviewed.

The main concern from the Italian authority on privacy is not the apps functionality, but it’s collection and handling of user data. This data can include the user content and communications, IP addresses, location-related data, metadata, and other sensitive personal information.

In a letter sent to the EDPB on the 20th of January, Antonello Soro, President of the Italian DPA, confirms that they have already received alerts regarding alleged vulnerabilities of this smartphone app and that other supervisory authorities such as the UK ICO and the US FTC have already started separate investigations. Soro asked that this issue be put on the agenda of the next plenary meeting of the EDPB, to be held in Brussels on the 28th and 29th of January.

The main concern from the Italian authority on privacy is not the apps functionality, but it’s collection and handling of user data. This data can include the user content and communications, IP addresses, location-related data, metadata, and other sensitive personal information.

In November 2019, the US Senate was asked to review the concerns that TikTok must adhere to the Chinese laws requiring domestic companies “to support and cooperate with intelligence work controlled by the Chinese Communist Party.” The indirect possibility that Army members using the App would reveal sensitive data such as location of military units to Chinese Intelligence was enough to get the review started.

In the case of the Italian GPDP the focus would be the treatment of data for minors – here the GDPR guidance is clear “processing of the personal data of a child” is only allowed by law when the child is at least 16 years old. If a child is under 16 years of age, companies must obtain consent from the child’s parent or legal guardian to collect and process their data. Any collection of data from children under the age of 13 is prohibited. The TikTok case in interesting as it might be generating guidance for all companies involved in the treatment of young users.

The app itself has privacy settings available. Users can decide whether or not they want to be searched for by unknown users: an account set to ‘private’ blocks other users from viewing uploaded content, users can then also select who can send a message, leave a comment and so on. Reactions are limited to the ‘heart’ symbol, but open forum comments can also , promote negativity. Tik Tok is rated 12+ on the Apple app store and “teen maturity” on Google Play. However, there is no system in place to verify a user’s age, so anyone can download it.

Dario Betti

MEF CEO