TikTok's lead privacy regulator in Europe takes heat from MEPs
MEPs in the European Parliament had the opportunity of a rare in-person appearance by Ireland's data protection commissioner, Helen Dixon, to criticize the bloc's lead privacy regulator for most of Big Tech over how long it's taking to investigate the video-sharing social media platform TikTok.
This concern is the latest expression of wider worries about enforcement of the General Data Protection Regulation (GDPR) not keeping pace with usage of major digital platforms.
The Irish Data Protection Commission (DPC) opened two inquiries into aspects of TikTok's business back in September 2021: One focused on its handling of children's data, and another looked at data transfers to China, where the platform's parent company is based. Neither has yet concluded. Although the kids' data inquiry looks relatively advanced along the GDPR enforcement rail at this stage -- with Ireland having submitted it to other EU regulators for review in September last year.
Per Dixon, a final decision on the TikTok kids' data case should arrive later this year.
The U.K.'s data protection watchdog -- which now operates outside the EU -- has taken some enforcement action in this area already, putting out a provisional finding that TikTok misused children's data last fall. The ICO went on to issue its final decision on the investigation last month, when it levied a fine of around $15.7 million. (Albeit, it's worth noting it shrunk the size of the fine imposed and narrowed the scope of the final decision, dropping a provisional finding that TikTok had unlawfully used special category data -- blaming resource limitations for downgrading the scope of its investigation.)
In remarks to the European Parliament's civil liberties committee (LIBE) today, which had invited Ireland's data protection commissioner to talk about TikTok specifically, Dixon signaled an expectation that a decision on the TikTok children's data probe would be coming this year, making a reference to the company as she told MEPs: "2023 is going to be an even bigger year for GDPR enforcement on foot of DPC large scale investigations."
Other large-scale cases she suggested will result in decisions being handed down this year include a very long-running probe of (TechCrunch's parent company) Yahoo (née Oath), which was opened by the DPC back in August 2019 -- and which she noted is also currently at the Article 60 stage.
She added that there are "many further large scale inquiries travelling closely behind" without offering any detail on which cases she was referring to.
Plenty of Big Tech investigations remain undecided by Ireland -- not least major probes into Google's adtech (opened May 2019) and location tracking (February 2020), to name two. (The former of which has led to the DPC being sued for inaction.) Neither case merited a name-check by Dixon today so presumably -- and luckily for Google -- aren't on the slate for completion this year.
Ireland holds an outsized enforcement role for the GDPR on Big Tech owing to how many multinational tech firms choose to locate their regional headquarters in the country (which also offers a corporate tax rate that undercuts those applied by many other EU member states). Hence why parliamentarians were so keen to hear from Dixon and get her response to concerns that enforcement of the regulation isn't holding platform giants to account in any kind of effective timeframe.
One thing was clear from today's performance: Ireland's data protection commissioner did not come to appease her critics. Instead Dixon directed a large chunk of the time allocated to her for opening remarks to mount a robust defense of the DPC's "busy GDPR enforcement," as she couched it -- rejecting attacks on its enforcement record by claiming, contrary to years of critical analysis (by rights groups such as noyb, BEUC and the Irish Council for Civil Liberties), that its legal analysis and infringement findings are "generally accepted in all cases" by fellow regulators who review its draft decisions.
"Differences between the DPC and its fellow supervisory authorities [are] largely confined to marginal issues around the fringes," she also argued -- taking another swipe at what she couched as a "narrative promulgated by some commentators that in many of the cross border cases in which high value fines were levied the DPC was forced to take tougher enforcement action by its fellow supervisory authorities across the EU" that she claimed is "inaccurate."
Back on the day's topic of TikTok, she gave MEPs a status update on the data transfers decision -- revealing that "a preliminary draft of the draft decision" is now with the company to make its "final submissions." The GDPR's procedural track means Ireland must submit its draft decision to other concerned data protection authorities for review (and the chance to raise objections). So there could still be considerable mileage before a final decision lands in this inquiry.
Dixon did not indicate how long it would take the TikTok data transfers inquiry to progress to the next step (aka Article 60), which fires up a cooperation mechanism baked into the GDPR that can itself add many more months to investigation timelines. But it's worth noting the DPC is trailing a little behind its own recent expectation for the draft decision timeline -- back in November, it told TechCrunch it expected to send a draft decision to Article 60 in the first quarter of 2023.
Exports of European users' data to so-called third countries (outside the bloc), which lack a high-level data adequacy agreement with the EU, have been under increased scrutiny since a landmark ruling by the Court of Justice back in July 2020. At that time, as well as striking down a flagship EU-U.S. data transfer deal, EU judges made it clear data protection authorities must scrutinize use of another mechanism, called Standard Contractual Clauses, for transfers to third countries on a case-by-case basis -- meaning no such data export could be assumed as safe.
And, just yesterday, a major GDPR data transfer decision did finally emerge out of Ireland -- possibly offering a taster of the sort of enforcement that could be coming down the pipe for TikTok's data transfers in the EU -- with Facebook being found to have infringed requirements that Europeans' information be protected to the same standard as under EU law when exported outside the bloc.
Facebook's parent company Meta was ordered to suspend unlawful data flows within six months and also issued with a record penalty of €1.2 billion for systematic breaches of the rulebook. The company has said it will appeal the decision and seek a stay on implementation of the suspension order.
Meta ordered to suspend Facebook EU data flows as it’s hit with record €1.2BN privacy fine under GDPR
It's anyone's guess when such a decision might land for TikTok's data transfers to China -- a location where digital surveillance concerns are certainly no less alive than they are for the U.S. -- but MEP Moritz Körner, of the Free Democratic Party, was one of several LIBE committee MEPs taking issue with the length of time it's taking for the GDPR to be enforced against another data-mining, data transferring adtech giant.
"It's good to hear today that you are in the final stage of your [TikTok] investigation but more than four years have gone by!" he emphasized in questions to the Irish commissioner. "And this is an app which millions of our citizens are using -- including children and young people... So my question would be does data protection in Europe move quickly enough and what has happened over the past four years?"
Pirate party MEP, Patrick Breyer, had even more pointed remarks for Dixon. He kicked off by calling out her refusal to meet the committee last year -- when she had reportedly objected to being asked to appear at a session alongside privacy campaigner, Max Schrems, who had a live legal action open against the DPC related to its procedures around his complaint about Meta's data transfers -- which he suggested would have been the appropriate forum for her defense of the DPC's enforcement record, not a hearing on TikTok specifically. He then went on to hit out at the narrow scoping of the DPC's investigations into TikTok's operations -- raising broader questions than the regulator is apparently inquiring into, such as the legality of TikTok's tracking and profiling of users.
"Hearing that what you are investigating in relation to TikTok is only children's data and data transfers to China -- this addresses only a fraction of what is being criticized and debated about the service and this app," he argued. "For one thing using TikTok comes with pervasive first party and third party tracking of our every action or every click based on forced consent, which is not necessary for using the service and for providing it. This pervasive tracking has been found to be both a risk to our privacy but also to national security in the case of certain officials. And do you consider this content freely given and valid?"
"Secondly, the app reportedly uses excessive permissions and device information collection, including hourly checking of our location, device mapping, external storage access, access to our contacts, third party apps data collection, none of which is necessary for the app to function. Will you act to protect us from these violations of our privacy?" Breyer continued. "If you remain as inactive as this, as you have been for years, you know this will continue to call into question your competence for [overseeing] the social media companies in Ireland and it will result in more outright bans [by governments on services like TikTok] which is not in the interest of industry either. So I call on you to expand your investigations and to speed them up and cover all these issues of pervasive tracking and excessive surveillance."
Another MEP, Karolin Braunsberger-Reinhold of the Christian Democratic Union, also touched on the issue of TikTok bans -- such as one imposed by the Indian government, back in 2020 -- but with apparently less concern about the prospect of a regional ban on the platform than Breyer since she wanted to know what the Dixon was considering "beyond fines." "Data protection is very important in the European Union so why are we allowing TikTok to send data back to China when we have no information on how that data is being dealt with once it goes back there?" she wondered.
MEPs on the LIBE committee also queried Dixon about what had happened with a TikTok task force set up at the start of 2020, by the European Data Protection Board (EDPB), following earlier concerns raised about privacy and security issues linked to its data collection practices.
Such task forces are typically focused on harmonizing the application of the GDPR in cases where a data processor is not main established in an EU member state. But TikTok went on -- by December 2020 -- to be granted main establishment status in Ireland, which meant data protection investigations would now be funneled via Ireland as its lead authority for the GDPR. This revised oversight structure most likely led to a disbanding of the EDPB TikTok task force, since the GDPR contains an established mechanism for cooperation, although Dixon did not provide an obvious response to MEPs on this point.
The clear message from the LIBE committee to Ireland today, in its capacity as TikTok's lead privacy regulator in the EU, boiled down a simple question: Where is the enforcement?
For her part, Dixon sought to dodge the latest flurry of critical barbs -- rejecting accusations (and insinuations) of inaction by arguing that the length of time the DPC is taking to work through the TikTok inquiries is necessary given how much material it's examining.
She also sought to characterize cross-border GDPR enforcement as "shared" decision-making, as a result of the structure imposed through the regulation's one-stop-shop mechanism looping concerned authorities into reviewing a lead authority's draft decisions -- also referring to this process as "decision making by committee." Her point there being that group decision-making inevitably takes longer.
"I do want to assure you we're working as quickly as we can," she told MEPs at one point during the session. "We have well over 200 expert staff at the Irish Data Protection Commission. We're recruiting more. We're conscious of turning these decisions around... We transmitted that draft decision last October to our concerned authorities. It will be almost a year later now before we have the final decision. That is the form of decision making by committee that the GDPR lays down and it does take time."
In the case of the TikTok data transfers probe, Dixon leaned on the requirement handed down by the CJEU that regulators examine legality on a case by case basis as justifying what she implied was a careful, fact-sifting approach.
"The Court of Justice has obliged us to look at the specific circumstances and the factual backdrop of any specific set of of transfers before we can conclude and so while to some people the answers all seem obvious that's not the process in which we must engage. We must step, case by case, through on the specifics. And that's what we have done now and submitted a preliminary draft of our decision to TikTok for submissions," she argued.
"As I said in my opening statement, we're far from inactive," she also asserted, before mounting another fierce defense of the DPC's record -- claiming: "We are by any measure the most active enforcer of data protection law in the EU. Two thirds of all enforcement delivered across the EU/EEA and UK last year was delivered by the Irish Data Protection Commission and that's verifiable facts."
Responding to another question from the committee, regarding what sanctions the DPC is looking at if it finds TikTok has infringed the GDPR, Dixon emphasized it has "a whole range of corrective measures up to bans on data processing that we can apply," not just fines.
"In any investigation we're open minded in relation to what the applicable and effective measures will be when we conclude an investigation with infringement -- so, I can assure you, where we have considered in the [TikTok] case that we've already concluded -- the children's data that's now with our fellow authorities -- we have looked across the range of measures available to us in relation to that investigation," she told MEPs.
The issue of fines that the DPC may (or may not) choose to impose for GDPR breaches is particularly topical -- given it's emerged as a key detail in the aforementioned Meta data transfers enforcement.
In the Meta transfers case, Dixon and the DPC had not wanted to levy any financial penalty on the tech giant for a multi-year breach affecting hundreds of millions of Europeans. However, it was forced to include a fine in the final decision in order to implement a binding decision by the EDPB -- which had ordered it to impose a fine of between 20% and 100% of the maximum possible under the GDPR (which is 4% of annual revenue). In the event Ireland opted for the lower bar -- setting the penalty at around 1% of Meta's annual revenue.
In her remarks to MEPs today, Dixon defended the DPC's decision not to propose fining Meta for its illegal transfers -- however, she offered no substantial argument for why it took such a position.
"As I'm sure you'll be aware, the DPC respectfully disagreed with the proposal to apply a fine. In our view, a meaningful change, if it was to be delivered, in this area required the suspension of transfers. No administrative fine could guarantee the kind of change required," she told MEPs, offering a straw man argument in defense of wanting to let Meta go without any financial sanction, which seems to imply there's an either/or equation for GDPR enforcement -- that is, corrective measures or punishment -- when, very clearly, the regulation allows for both (and, indeed, intends that enforcement is dissuasive against future law breaking). Hence the EDPB's binding decision requiring Ireland to impose a substantial fine on Meta for such a systematic and sustained infringement of the GDPR.
Instead of elaborating on the rationale for choosing not to fine Meta, Dixon switched gears into a swipe of her own -- directed at the EDPB -- by making an observation that "all" the Board's binding decisions in cases in which the DPC had acted as lead supervisory authority are subject to annulment proceedings before the Court of Justice of the European Union, before adding (somewhat acidly): "As such the CJEU, rather than the EDPB, will have the final say on the correct interpretation and application of the law."
In questions to Dixon, social democrat MEP, Birgit Sippel, picked her up on what she implied was a repeated lack of clarity emanating from the DPC on fines -- also flagging a lack of "clear answers" from the Irish commissioner in her remarks to the committee today on why it had failed to propose any penalty at all for Meta's illegal data transfers.
There was no comeback from Dixon to that point.
In her questioning, Sippel also wondered whether TikTok was cooperating with the DPC's investigations -- or whether the DPC had adequate access to information from it in order to conduct proper oversight. On this Dixon said the company is cooperating with the two investigations, while noting TikTok has "from time to time" been asking for extensions to submission deadlines, which she implied were typically granted as she considered they were merited on account of the amount of volume of material involved -- providing a small glimpse of GDPR enforcement timeline creep in action.
Asked for a response to views expressed by MEPs during the LIBE committee hearing, a TikTok spokesperson told us: "We welcome the Data Protection Commissioner's acknowledgement that TikTok has been cooperative and responsive with the regulator. As a company we are readily available to meet with lawmakers and regulators to address any concerns."
In a press release about Dixon's appearance in front of the committee today, the DPC wrote:
The Data Protection Commission (“the DPC”) was today delighted to be invited to make its first address before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“the LIBE Committee”). The address coincided with the five-year anniversary of the application of the General Data Protection Regulation (“the GDPR”) and covered a wide-range of topics, including the extensive enforcement work of the DPC over the last five years and the progress of some of the large-scale investigations it currently has on-hand; in particular those relating to TikTok.
Today’s address by Commissioner for Data Protection, Helen Dixon, built on the ongoing positive engagement between the DPC and the LIBE Committee, following the visit of a LIBE delegation to the DPC’s offices last September. Welcoming the chance to highlight the successful enforcement work of the DPC to date, Commissioner Dixon reflected on the constructive and useful nature of engagement with the LIBE Committee “as we each, from our respective remits, pursue the drive for fair and effective enforcement of data protection law and protection of fundamental rights.”
Commissioner Dixon was also pleased to answer questions from the MEPs in attendance and provide additional clarity as to the nature and scale of the DPC’s work.