Ref. Ares(2022)5123950 - 14/07/2022
Meeting with
CAB Room, 29 March 2022, 15:00
MEETING WITH
,
at ByteDance/TikTok
Scene setter
1
Meeting with
CAB Room, 29 March 2022, 15:00
Lines to take
Data Protection
• We understand you’re in contact with the Irish DPC as your GDPR lead supervisory
authority. Regarding your interactions with the other DPAs:
o We welcome that TikTok has updated its data protection information and are
making continued efforts to communicate with its users about the processing
personal data in an understandable way, in reaction to a fine issued by the
Dutch data protection authority in July 2021.
o We welcome that you engaged with the Italian data protection authority about
the way how TikTok verifies the age of its users.
• We would welcome your views on what TikTok can do to further improve the privacy
and data protection of children on its platform and information on what it has done
since our last meeting in September last year.
Data flows (general)
• The Commission remains firmly committed to facilitating trusted data transfers.
• I am thinking for instance of the adequacy negotiations we recently concluded with
the UK and South Korea – two years after creating with Japan the world's largest area
of free and safe data flows.
• We are currently having similar talks with a number of partners, in particular in Asia
and Latin America.
• This commitment to international data flows is also reflected in our approach to trade
negotiations. We are systematically including in the digital trade chapter of all our
trade agreements a straightforward prohibition of data localisation requirements. This
is what we did for instance in the Trade and Cooperation agreement we concluded at
the very end of last year with the UK.
• In other words, we want to make clear that genuine data protection, on the one hand,
and digital protectionism, on the other hand, are two very different things.
Standard contractual clauses
• In June last year we adopted modernised standard contractual clauses, which are the
most used tool for international data transfers from Europe.
2
Meeting with
CAB Room, 29 March 2022, 15:00
• These have been updated and adapted to modern business realities. They also take
into account the requirements of the Court of Justice of the EU’s case law, including
the Schrems II judgment, and operationalise the clarifications offered by the Court.
• Through their standardisation and pre-approval, these clauses provide companies,
especially SMEs, a practical tool to assist them in complying with the GDPR.
• Of course, these Clauses have to be used in accordance with the case-law of the Court
of Justice of the EU, including its Schrems II judgment, and the guidance of the
EDPB.
• That is why we worked closely with the Board to ensure consistency between our
respective worksteams. This is reflected in the final guidance of the EDPB that was
also adopted in June, which is better aligned with the approach of the standard
contractual clauses (compared to previous EDPB drafts).
• To further facilitate the use of the SCCS, we are developing a Q&A addressing
implementation issues, providing further clarifications etc. This will be a dynamic,
online source of information that will be regularly updated.
• We are doing this in close cooperation with stakeholders as we want this to be an as
practical as possible tool – based on “real life” situations.
Negotiations on a successor arrangement to the Privacy Shield
• The EU and the US have reached an agreement in principle for a new Trans-Atlantic
Data Privacy Framework.
• To comply with the requirements set by the Court of Justice in the Schrems II
judgment, the future arrangement will provide for:
• A set of rules granting Europeans whose personal data are transferred to the US
binding safeguards limiting access to data by American intelligence authorities to
what is necessary and proportionate to protect national security.
• The establishment of a two-tier redress system to investigate and resolve complaints
from Europeans regarding access to their data by US national security authorities.
• These new safeguards and redress mechanism will complement the strong obligations
that will apply to companies processing data transferred from the EU.
• The two sides will now finalize the details of this agreement in principle and translate
it into legal texts. In particular, the U.S. commitments will be included in an
3
Meeting with
CAB Room, 29 March 2022, 15:00
Executive Order that will form the basis of the Commission’s assessment in its future
adequacy decision.
• On the EU side, the adoption process for an adequacy finding involves obtaining an
opinion from the European Data Protection Board (EDPB) and the green light from a
committee composed of representatives of the EU Member States. Moreover, the
European Parliament has a right of scrutiny over adequacy decisions. Once this
procedure will have been completed, the Commission will be able to adopt the
adequacy decision.
Consumer protection - CPC action on TikTok
• TikTok captivates attention of global, particularly young, audience with great success.
I congratulate you on being an entertainment platform with most new downloads in
2021.
• With popularity, however, comes social responsibility!
• Thank you for the latest reply in which TikTok offers stronger commitments on the
issues raised by the CPC network during the dialogue.
• I appreciate that TikTok is cooperating constructively with the Commission’s services
and the (CPC) network.
• I am happy to learn that you will conduct a series of user testing to determine the most
adequate and prominent label for all commercial content on your platform, including
when displayed by influencers.
• I equally appreciate TikTok taking measures on cross-cutting issues. For instance, by
ensuring that it is as easy to opt out from personalisation of ads as to opt in.
• It is important to ensure that all TikTok users, in particular the most vulnerable, are
aware of their choices and that they are informed about their consequences in
adequate language and transparent manner.
• Since many of your users are children, I would like to learn more about the AI-driven
age assurance mechanism you are currently developing and additional technical
measures by which you ensure a lasting impact, that only older children will use
TikTok.
• CPC authorities are looking closely at the commitments proposed by TikTok. Rest
assured that the Commission and the CPC network will inform you on the final
deliberations of the CPC network before we publicly communicate on our dialogue.
4
Meeting with
CAB Room, 29 March 2022, 15:00
• DG JUST services remain at your disposal for any questions. Thank you for the good
cooperation with the Commission so far!
5
Meeting with
CAB Room, 29 March 2022, 15:00
1. FLASH REPORT MEETING WITH
- TIKTOK - 20 SEPTEMBER 2021 - FLASH REPORT
COM: Isabelle Perignon, Lucrezia Busa,
TikTok:
The discussion covered: (i) the on-going action /investigation of the CPC network to address
the company’s practices related to children and hidden advertising; (ii) current commitments
to fight hate speech; (iii) on-going investigations in the data protection area.
The company
explained that TikTok’s Chinese parent company has been active for 10
years in smartphone and mobile computing technology. In 2016 it launched the first video
application in China and then as of 2017 gradually released the international version which
became TikTok, now receiving a lot of positive attention from users around the globe.
TikTok does not see itself as a “social media” but rather as an “entertainment” platform.
Social media users would nowadays log on e.g. to Facebook to liaise with relative and friends
and then watch videos on TikTok like they do with Netflix. TikTok has been active only for 3
to 4 years in EU but it has been growing very rapidly. Its number of employees is increasing
in BE, France, Ireland, Italy and Spain. Ireland is the main hub (headquarters) for data
protection, trust and safety and this is where the company is planning to migrate all data once
the infrastructure is ready.
CPC Coordinated Action
TikTok’s legal team is very pleased by the results achieved until now and it is taking this
process very seriously. They appreciate the constructive cooperation and find the role of the
Commission in coordinating CPC authorities very helpful in ensuring consistency of the
outcome. It is particularly important for TikTok to be able to solve all problems in a “one
stop shop” given that they had been targeted by various investigations and information
requests across the EU. Some solutions have already been found and the company is
planning to apply the changes to their practices demanded by DG JUST/ CPC Network at
global level. This is particularly interesting as it would elevate EU standards as a global
benchmark.
COM also expressed appreciation for the constructive cooperation with TikTok in the CPC
action. It also recalled that final commitments are expected by the end of September and that
DG JUST’s team is available for any technical clarification which is still needed. There are
positive expectation that children and other users will be able to enjoy the platform safely if
the remaining issues are solved.
Hate Speech
TikTok stressed that they are taking the fight against hate speech very seriously and they are
happy with the results achieved (in terms of content removed). They also appreciate the
support from DG JUST in this process.
11
Meeting with
CAB Room, 29 March 2022, 15:00
COM stressed that the results of the monitoring exercise (concerning the effectiveness of the
notice and action mechanism of the code of conduct) will soon be published and the results
point in the right direction. Now there is a need to brainstorm about how to improve the code
of conduct. Discussions have begun with the platforms involved, including TikTok. Co-
regulation could be a possible model with a close cooperation between the industry and the
Commission.
TikTok signalled a few areas for improvement /extension of the code of conduct:
- It should not be restricted to large players (subscribed also by smaller platforms,
NGOs and discussion fora);
- A repository dealing with examples, case studies, jurisprudence should be made
available etc.
- Other analogues areas (e.g. child injury areas and vulnerabilities) where the entities
responsible for legal obligation need to coordinate could inspire what can be done in
law enforcement for hate speech.
TikTok welcomes the study on transparency/statistics by independent third parties and
stressed that their corporate policy could not be clearer on their firm commitment to fight
hate speech. While they do not tolerate hate speech – the see subtle messages which are more
difficult to detect as the challenge in this area. For this reason they have set up an European
Safety Advisory Council which will advise on content moderation policy to keep up to date
in new trends and ways things evolve. In this connection, they are happy to work with COM
and push other companies to do the same.
COM said that these points could be explored in the coming months and found the idea of the
repository of case studies interesting.
Data Protection
COM asked for an update from TikTok on how they are managing the investigations by the
Irish and the Italian DPAs.
TikTok explained that the current Irish investigation reconfirms the grounds of other
investigations (privacy by design for children and data transfer) in the NL, FR, DK and IT.
Only recently, in December last year, the company’s EU establishment (in Ireland) for data
protection purposes was confirmed. For many of the issues at stake extensive responses had
already been provided e.g. to authorities in FR. TikTok is also very engaged with Italian
Authorities and made extensive commitments to them. However, they believe the IT DPA
should pass their investigation on to the Irish Data Protection Commission.
The company claims that their approach aligns with EU data sovereignty. They are working
hard with the Irish DPA to solve issues relating to children, in particular age verification e.g.
AI mechanism to detect whether users are older than 13. In this connection, TikTok observed
that the demographic of their users is changing. While in the beginning it was predominantly
young people, now there is a growing group of older users.
COM underlined that it is important to cooperate with DPAs, provide the data and solve the
outstanding problems as soon as possible.
12