French data privacy watchdog the Commission Nationale de l’Informatique et des Libertés (CNIL) has an open investigation into how Chinese-owned video-sharing app TikTok handles user data, according to reporting by Techcrunch.
The investigation was opened in May 2020, following a complaint related to a request to delete a video.
The CNIL has since widened the complaint to include various data privacy issues. It now includes transparency concerns surrounding how TikTok processes user data; users’ data access rights; transfers of user data outside the EU; and how the app ensures the data of minors is protected.
EU GDPR legislation protects user data, giving them the right to request copies of their data or have it deleted, along with requiring companies to provide clear information about how users’ data is processed.
GDPR laws state that national data watchdogs can penalise companies up to 4% of their global annual turnover.
A TikTok spokesperson told Techcrunch: “TikTok’s top priority is protecting our users’ privacy and safety. We are aware of CNIL’s investigation and are fully cooperating with them.”
Under French data protection law, children of 14 or younger are unable to consent have their data processed by information social services such as TikTok.
Data protection and privacy director at HewardMills Helga Turku said: “Various investigations have started in the US, UK, Colombia, Brazil, the Netherlands and now France, all seeking to better understand how TikTok is handling children’s data and protecting their privacy.
“The app’s popularity grew very quickly in a short period, and now the pressure will be on TikTok to demonstrate that it has established a robust data privacy programme able to properly protect users.”
The move is a further blow to TikTok and ByteDance, which has fallen foul of US President Donald Trump, who is seeking to ban the app in the US.
The CNIL has shown that it is no stranger to standing up to large tech companies. It previously fined Google $57 million last year, the largest against a major tech company.
However, TikTok may be able to avoid the CNIL investigation.
- Au Revoir, Google! Why France is Securing its Digital Sovereignty
- Twitter Shows Interest in Buying TikTok US Operations
- US Lawsuit Claims TikTok is Transferring ‘Vast Quantities’ of Data to China
TikTok has designated Ireland’s Data Protection Commission (DPC) as its lead authority in Europe to handle data privacy issues. TikTok previously announced that it aims to open its first European data centre in Ireland, where all EU user data will be stored.
Should TikTok satisfy certain legal conditions, it could have any GDPR investigation moved to the DPC, which currently has over 20 major ongoing probes, but has not made decisions on any of them. This has given the watchdog a reputation for being slow to enforce complex cross-border GDPR cases.
A CNIL spokesperson told Techcrunch that the TikTok investigations “could therefore ultimately be the sole responsibility of the Irish protection authority, which will have to deal with the case in cooperation with the other European data protection authorities.
“To come under the sole jurisdiction of the Irish authority and not of each of the authorities,” they said, “Tiktok will nevertheless have to prove that its establishment in Ireland fulfils the conditions of a ‘principal establishment’ within the meaning of the GDPR.”
However, in June, EU data protection chiefs decided that they would coordinate potential investigations into the app and established a taskforce to better understand “TikTok’s processing and practices across the EU”.