It is testament to the importance of technology that in times such as these, peoples’ reliance upon technology (and connectivity in particular) has sky rocketed in an attempt to help maintain social cohesiveness and facilitate creativity. TikTok, the Beijing-based video-sharing social networking service which really made its entrance onto the world stage in 2018, has now once again risen to fame through the societal void borne of self-isolating measures. Following on from our earlier article, which provided an insight into the copyright infringement claims arising from this popular social media platform, this two part series of articles takes a look at the privacy policy and terms of service related to TikTok in order to shine some light on any issues which could arise from using it.
TikTok has already received wide criticism in a number of areas, but for the sake of these articles I will only focus on issues related to privacy and the terms of service and not others (for example, discrimination of disabled users via limiting their content reach).
Privacy issues arising from TikTok have generally been related to 1) data sharing; 2) data storage; 3) transparency; and 4) controversial tracking technology. This section will aim to break down these issues and cross refer them to TikTok’s EEA and Switzerland Privacy Policy and the General Data Protection Regulation (“GDPR”) where relevant.
1. Data sharing
Section 4 (How we share your personal data) of TikTok’s Privacy Policy sets out how they will share user data with third parties. The wording at first glance appears to be in compliance with the GDPR but privacy analysts and researchers have managed to show that in practice, TikTok’s actual data sharing practices may not be.
For example, there is evidence to suggest that users’ device information, usage time and lists of watched videos are being sent to Appsflyer and Facebook. Albeit TikTok’s Privacy Policy states that they will share certain information with relevant social networks such as users’ “app ID, access token and the referring URL”, the full level of technical information being shared is not particularly transparent (as will be discussed further below).
The issue here is essentially that TikTok is claiming a legitimate interest to justify technical data being shared with third parties. In section 6 (Your Rights) of TikTok’s Privacy Policy, it states the following:
“The right to object to processing if we are processing your personal data on the basis of our legitimate interest unless we can demonstrate compelling legitimate grounds which may override your right. If you object to such processing, we ask you to state the grounds of your objection in order for us to examine the processing of your personal data and to balance our legitimate interest in processing and your objection to this processing”
This is interesting because TikTok appear to be fully aware that should there be overriding legitimate grounds to continue processing, users’ requests to be forgotten or for TikTok to cease processing of their personal data, may be lawfully rejected; therefore, TikTok must strongly believe that their sharing of users’ technical personal data with third parties is being done pursuant to overriding legal grounds (Article 17.1(b), GDPR) or otherwise as listed in Article 17.3, GDPR. A list of what TikTok considers their “legitimate interests to provide an effective and dynamic Platform” can be found in section 3 (How we use your personal data) of TikTok’s Privacy Policy.
2. Data storage
Section 5 (Where we store your personal data) of TikTok’s Privacy Policy states that users’ personal data “will be transferred to, and stored at, a destination outside of the European Economic Area (“EEA”).” TikTok continues to state that this will be done so under the European Commission’s model contracts for the transfer of personal data to third countries (i.e. the standard contractual clauses) pursuant to 2004.915EC or 2010/87/EU as appropriate. A copy of these standard contractual clauses are not readily available on TikTok’s website nor did we receive a copy of them from TikTok upon request.
The standard contractual clauses referred to are a standard set of contractual terms and conditions provided by the European Commission which both the sending and receiving parties sign up to in order to put in place sufficient safeguards on personal data leaving the EEA.
TikTok is owned by ByteDance whose headquarters are located in Beijing, China, unsurprisingly considered a “third country” under the GDPR. It is important to note that in response to global concerns regarding data privacy, TikTok released a statement in October 2019 confirming (for at least the US) that their “data centres are located entirely outside of China”.
Also, I cannot comment upon the sufficiency of the actual terms and conditions put in place between the various ByteDance entities as they are not readily available.
3. Transparency
This leads us to the issue of transparency. The above outlines how TikTok has not necessarily been fully transparent with their data transfers and data storage, although they have attempted to provide some clarity as mentioned above.
Section 1 (The types of personal data we use) and section 3 (How we use your personal data) do attempt to clearly set out what personal data is being collected from users as well as how TikTok will process this data. Section 4 (How we share your personal data) attempts to inform users as to what third parties will have access to their data; however, there is no specific listing of which third parties within ByteDance’s corporate group will have such access, which could be seen as an issue when considering ByteDance’s corporate group is defined as “other members, subsidiaries, or affiliates of our corporate group”.
It seems that in response to this kind of criticism, TikTok has updated their Community Guidelines as well as publishing a Transparency Report in December 2019.
4. Tracking Technology
Beyond the conventional trackers (such as Google Analytics) which we can expect to be found on social media platforms, there has been concern over the presence of more controversial device fingerprinting technology, which is essentially a combination of audio and browser tracking to determine which users are watching and/or sharing videos.
Fingerprinting technology is not specifically mentioned in the GDPR but the regulations provide general rules which are flexible enough to keep up to date with technological developments in the area of data processing so it is impliedly covered. This means that data controllers hoping to utilise such fingerprinting technology will require users’ express consent or otherwise will need to rely upon a “legitimate interest”, as TikTok have set out in section 3 (How we use your personal data) of TikTok’s Privacy Policy.
Firstly, in order for TikTok to be able to rely on the specific legal ground of “legitimate interest”, they will need to go through a balancing test as set out in Recital 47, GDPR being that they can verify for themselves whether their interest in obscure tracking is not overridden by “the fundamental rights and freedoms of the data subject” and whether it is in line with the user’s reasonable expectations.
Secondly, TikTok will need to share detailed information with users that is subjected to fingerprinting, including the scope, purposes, and legal basis of such data processing (further to Article 12, GDPR). However, if fingerprinting is done for marketing purposes, users may request this to be stopped (provided they do not agree with the legitimate interest argument that has been made by TikTok) as per Article 21, GDPR. TikTok’s Privacy Policy does state that “where the processing of your personal data is based on your consent, [you have] the right to withdraw your consent at any time without impact to data processing activities that have taken place before such withdrawal”. In this context, this means users can object to fingerprinting which has taken place pursuant to their consent but this will only prevent any further fingerprinting from that point onwards.
In summary, the evidence here does suggest in some areas that there may be cause for concern. The widespread concern seems to be, in large, borne out of negative assumptions surrounding the geographical headquarters of TikTok. Although sometimes this can be a factor worth considering, generally speaking, users should be more concerned with the manner in which their personal data is being processed when using social media platforms. Most social media platforms will have very similar privacy policies, irrespective of their country of origin; so to have particular issue with one solely because of a political/ geographical prejudice, seems to be unfair. However, there are perhaps reasons why users should be concerned with the data processing being done by TikTok, as outlined within this article.