“Further to engagement with the DPC yesterday, TikTok has now agreed to pause the application of the changes to allow for the DPC to carry out its analysis,” a spokesperson for the DPC told TechCrunch.
The DPC’s concern follows a formal warning issued to TikTok from Italy’s data protection watchdog that the company’s proposed switch would breach the ePrivacy Directive and potentially the GDPR. TikTok claims it could process user data to run “personalized” ads without obtaining consent under a legal ground known as “legitimate interest.” Privacy experts question the appropriateness of using legitimate interest as grounds to run behavioral advertising, but TikTok continues to defend its plan.
Regarding the formal warning from the Italian DPA, a TikTok spokesperson says the company is evaluating the notice while also claiming to be “committed to respecting the privacy of our users, being transparent about our privacy practices, and operating in compliance with all relevant regulations.”
For legitimate interest to be considered a valid legal foundation on which to process personal data under European law, a data processor must first conduct a series of tests. Those tests assess whether it has a legitimate cause for the processing and that the processing is necessary for the stated purpose. A third test also considers the rights and freedoms of the individuals whose information is involved.
While the UK’s data protection watchdog, the ICO, offers some cautionary guidelines for the first two tests, the third will likely be TikTok’s biggest hurdle. The third test requires the company to justify any impact on individuals, which includes the users’ ability to exercise their data protection rights per the ICO guidelines.
Notably, the Dutch DPA takes the stance that legitimate interest cannot be used as a legal basis for commercial interests, period. Should the Irish DPC take a similar view, TikTok would be hard-pressed to have its cake and eat it too.