In June, TikTok started rolling out in-app notifications to users in the EU, UK, and Switzerland about changes to their privacy policy. The most remarkable change: TikTok will base their usage of personalized advertisements on legitimate interest from July 13th onwards. What does this mean?
Even if you have declined personalized ads in the past, the app can now process your data without your consent because they claim to have “legitimate interest”.
You automatically agree to this just by continuing to use the app after today.
If you do not use TikTok you might think ‘so what?’. Now, if you care about data protection just a tiny bit, keep on reading how this change erodes Europe’s data protection legislation.
What is legitimate interest?
Legitimate interest is one of six legal bases for processing personal data according to the GDPR. It presupposes that a data controller (TikTok) has a legitimate interest in processing the data of a data subject (user) who must be able to have reasonable expectations which data is processed and for what.
I know, this sounds a bit complicated and, honestly, it is quite vague. The GDPR itself mentions two examples: to prevent fraud or for marketing purposes. In any case, the data should not be processed any further than the data subject would expect, for example by selling it to third parties. Lastly, legitimate interest does not apply when the fundamental rights and freedoms of the data subject override.
Whether a company has a legitimate interest or not clearly is a matter of (extensive legal) interpretation. For TikTok, the main interest would arguably be revenue. It might not be the best outcome for consumers, if data protection authorities deem this purpose as a legitimate interest, but it is possible.
But legitimate interest cannot only be used for shady marketing processing. Interestingly, privacy researchers and authorities have pushed for more implementations of legitimate interest. Why? Because other than consent, legitimate interest requires a careful balancing of the interest of data controllers (companies) and, ideally, data subjects (users). With consent, people can be nudged and manipulated to give it — especially when they are somewhat dependent on using a service. In contrast, companies have to give compelling explanations as to why they have a legitimate interest in processing users’ data. To put shortly; legitimate interest places the burden of assessing the benefits and consequences of processing on companies that have the resources to do so.
In any case, TikTok’s legitimate interest in processing users’ data requires further legal contemplation and is definitely not the subject of this article. What is relevant, however, is TikTok’s change from consent to legitimate interest.
What is problematic about TikTok’s switch to legitimate interest?
In 2020, the European Data Protection Board (EDPB) published an adoption of the GDPR, which touches upon especially this issue: The interaction between consent and other lawful grounds (such as legitimate interest). In their adoption, they state:
In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is. (EDPB, 2020)
This means that TikTok cannot ask for your consent and then if you decline, switch to legitimate interest and use your data for personalized advertisements anyway. Yet, this is exactly what they are planning to do.
In other words: What TikTok will start doing as of 13 July is not in line with the GDPR.
Honestly, TikTok was probably able to process most users’ data based on their consent anyways. But what I find the most troubling is that they found a way to circumvent the few users who explicitly declined the additional processing. Even if it is still early for the “new” (2 years old) EDPB guidelines to be adopted and actually enforced by member states, we should be able to expect that a ‘no’ remains a ‘no’. If this goes through without resistance, it sets a terrible precedent for every data controller who quickly needs to turn a ‘no’ to additional data processing into a ‘yes’.
Companies like TikTok committing to these practices openly admit that they have no respect for European data protection guidelines— and the inability to enforce them, demonstrated by the EU, clearly adds to the erosion of the GDPR. Let’s see how long TikTok’s new privacy policy survives.
