Tik Tok's charm offensive
Because of its expertise, Privacy First Foundation is often invited to roundtables to "think along" on new directions, initiatives or issues that can be criticised in terms of privacy-friendliness or sensitivity. Sometimes we are prepared to do so, especially to prevent developments that could harm everyone's privacy. In doing so, we consider (also in general) a dialogue between parties with conflicting interests important, provided this dialogue is sincere. This also applies to TikTok.
Due to heavy criticism from various governments on TikTok as a social medium and the imposition of a ban on the use of TikTok by civil servants as well as stricter measures from Brussels in general (such as the Digital Markets Act, Digital Services Act and Digital Data Governance Act), it is no coincidence that TikTok was invited to the Lower House last week to answer questions from the Standing Committee on Digital Affairs. This meeting took place on 6 September in the Thorbecke Room of the Lower House. The aim of the meeting was for TikTok to explain why, as a platform, it is still flouting European privacy rules and (still) not complying with its legal obligations, despite multiple warnings from the European Union and others. In general, there are fears that TikTok could be used from China for spying purposes. During the meeting in the Lower House, TikTok admitted that employees in China could have access to "public data" of EU citizens. Even though this access would be under strict conditions, the fact that access exists makes TikTok in Privacy First's view in breach of European privacy rules.
There was also an extensive article in the FD on 5 September.[1], in which Tik Tok, through the Project Clover seeks to regain the trust of policymakers by, among other things, placing the monitoring of their user data with an external party. British cybersecurity company NCC Group will carry out that monitoring.[2]
Already at an earlier stage, Privacy First had been invited to attend a TikTok roundtable meeting on Project Clover on 7 September. A small Privacy First delegation had already drafted several critical questions in that context:
- With regard to EU citizens' user data, why doesn't TikTok ensure that it is compliant is with European privacy rules and adequately safeguards the European human right to privacy in its operations?
- Is TikTok willing to have, for example, the European Data Protection Supervisor (EDPS) carry out external and independent supervision of Project Clover?
- Is a change in TikTok's revenue model a possibility? By now offering it "free", TikTok is misleading consumers, especially children, because users are now paying by making their personal data available.
- According to its own publications, TikTok does not share EU citizens' user data to countries outside the EU. So how does TikTok explain that Chinese employees have access to this user data, even if it would be under very strict conditions? In the privacy statement[3] of TikTok states that the servers where user data is stored are located in the United States, Singapore and Malaysia.
- What will TikTok do with the findings of the external regulator, particularly if it concludes that TikTok is not compliant is? How is the independence of this external regulator guaranteed?
- What is the exact mandate given to the external supervisor? What are the agreements on transparency about the findings and may conclusions, even if they are to the detriment of TikTok, be made public?
Unfortunately, Privacy First was cancelled two days before the scheduled roundtable session, or just before the TikTok meeting with the Standing Committee on Digital Affairs on 6 September 2023 in the House of Representatives. This due to lack of enthusiasm for the roundtable, with TikTok requesting Privacy First to keep the ties warm though. For Privacy First, this constitutes a reason to publicly express the above questions and concerns on our part.
[1] https://fd.nl/tech-en-innovatie/1488219/tiktok-schakelt-brits-bedrijf-in-om-toezicht-te-houden-op-europese-gebruikersdata
[2] https://www.nccgroup.com/ch-de/ncc-group-announced-as-tiktoks-project-clover-trusted-technology-provider/
[3] https://www.tiktok.com/legal/page/eea/privacy-policy/nl, under the heading 'Our global operations and data transfer'.
Update 3 December 2023:
Some time ago, Privacy First received another invitation to a Round Table with TikTok. This Roundtable took place on Monday 27 November 2023. By its own admission, TikTok sent invitations to about 40 groups and individuals engaged with the platform in many areas. Very unfortunate that many of the invitees did not respond to TikTok's request to participate in order to think and learn from each other. We did find it useful to participate because we think dialogue between parties with conflicting interests is important, while it is also important to guard well from one's own interests.
In the first part of the talk, we were updated on TikTok's activities in Europe. Useful was an update on data privacy policies and measures, including Project Clover, and TikTok's plan for storing European user data in Europe with external oversight of access to this data by NCC Group. Noteworthy is the fact that a migration of EU citizens' data has taken place with the data servers used to store the data now located in Ireland and Norway. One criticism here is that people from the company TikTok can still access EU citizens' data outside EU jurisdiction.
In the conversation, we tried to convey to TikTok that they can 'really' achieve their ambition of the gold standard by adjusting their revenue model. Now, the company makes its money by selling personalised ads, using personal data that users provide 'for free'. In doing so, TikTok misleads its users, violating their privacy rights to further increase profitability. A platform that depends on such a revenue model has no right to exist, in our opinion.
We found the exchange of information at the Roundtable highly desirable. Our general impression is that TikTok is invitingly open to our critical questions, and thus intends to question and use external organisations and individuals as a sounding board more often, which we can appreciate. From asking questions, the other person's answers and our general impression in the news, we usually form our point of view from experience and thorough research, so too, hopefully, does TikTok as a platform. In any case, we engage in dialogue before shouting something.