TANGO Project: Addressing GDPR Compliance Challenges Amidst TikTok's Data Controversy
During her rare in-person appearance before the European Parliament's LIBE Committee, Ms. Helen Dixon, the Irish Data Protection Commissioner (DPC), faced criticism on behalf of the Irish Data Protection Authority (DPA), the largest DPA in the EU. The criticism focused on the DPA's extensive investigation into TikTok's handling of children’s data and data transfers to third countries.
Under the General Data Protection Regulation (GDPR), DPAs are independent public authorities responsible for ensuring compliance with data protection laws within their jurisdictions. They play a crucial role in enforcing and safeguarding personal data rights of EU citizens. Their main responsibilities include providing guidance, enforcing GDPR regulations, handling complaints, imposing sanctions, and promoting cooperation and consistency among DPAs.
The presence of many multinational tech companies in Ireland, attracted by its low corporate tax rate, has made the Irish DPA the most active enforcer of data protection laws in the EU, accounting for two-thirds of all enforcement actions across the EU, EEA, and UK.
However, despite its prominent role in enforcing GDPR, the Irish DPA faced criticism from several Members of the European Parliament (MEPs) during the hearing. Their concerns revolve around the DPA's inconsistent application of GDPR, failure to impose sanctions in certain severe violation cases, and the sluggishness of some investigations, particularly those involving TikTok.
At this time, the Irish DPA has initiated two inquiries in relation to TikTok, one focusing on the company's handling of children's data and the other examining data transfers to China.
The export of European users' data to third countries outside the EU raises significant concerns for GDPR enforcement, as the Court of Justice of the European Union (CJEU) lacks jurisdiction in such cases. This concern was further emphasised by the CJEU's landmark ruling in July 2020, which invalidated the EU-US data transfer agreement and mandated that DPAs scrutinise the use of Standard Contractual Clauses for transfers to third countries on a case-by-case basis, removing any assumption of safety in such data exports.
In particular, MEPs expressed concerns about potential digital surveillance resulting from TikTok's data transfers to third countries. They pointed out that the app collects excessive permissions and device information, including frequent location tracking, device mapping, access to contacts, third-party apps, and unnecessary data. They also questioned why TikTok is allowed to send data to third countries without sufficient information on how that data is handled.
MEP Moritz Körner also voiced dissatisfaction with the DPC and DPA for the time it takes to enforce GDPR against data-mining and data-transferring ad-tech giants like TikTok.
In response to the MEPs' criticisms, Ms. Dixon emphasised that the DPC evaluates data transfers to third countries on a case-by-case basis, considering specific circumstances. She highlighted that data transfers often occur due to the origin of companies and their need for sub-processors and expertise in those countries to ensure compliance with GDPR. Considering the large volumes of data involved, she also emphasised that such investigations naturally take time.
The concerns raised by MEPs regarding the transfer of European users' data to China by TikTok and the potential for digital surveillance cannot be ignored. However, Ms. Dixon rightly emphasised that compliance with GDPR requires significant processing power, among other factors.
The concerns raised by MEPs and enforcement challenges highlighted by Ms. Dixon emphasise the crucial significance of technologies like TANGO, which can facilitate secure and privacy-compliant data exchange for the provision of digital and non-digital services and products. One of the key challenges in implementing the GDPR is the limited capacity of businesses to fully comply with all its provisions. TANGO addresses this challenge by offering technologies that adhere to the highest standards of privacy-by-design and by developing governance frameworks that ensure data provenance. In essence, TANGO ensures GDPR compliance for citizens, businesses, and regulatory bodies alike. While it is still too early to fully gauge the potential global impact of TANGO, the project actively seeks to contribute to relevant standardisation bodies in order to make meaningful contributions.