The Week – In Perspective: The Irish data protection regulator launches inquiries into TikTok

What happened

• The Data Protection Commission (DPC) in Ireland has announced its intention to commence two inquiries in relation to TikTok’s compliance with data protection law.
• TikTok is a video-focused social networking service that allows users, including children, to make a variety of short-form videos for sharing with others.
• The first inquiry will examine TikTok’s compliance with the requirements of ‘data protection by design and by default’ in relation to users aged 18 and under.
• The second inquiry will look at the sharing of personal data with China and TikTok’s compliance with rules relating to international transfers.   

Why it matters

• ‘Data protection by design and by default’ is an important concept of UK and EU data protection law and one way to demonstrate accountable data protection practices.
• This involves putting in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights.
• Data transfer rules also mean that personal data can only be sent to countries outside of the EU or the UK if there is an appropriate safeguard in place or an adequacy decision.  

What happened

• The data protection regulator in Ireland has produced fresh guidance on the professional qualities required for an organisation’s Data Protection Officer (DPO) to be considered ‘qualified’ to undertake their role.
• It is recommended that the DPO has expertise in national and European data protection laws, an understanding of data security as well as knowledge of the business sector their employer is in.
• If a DPO training programme is to be considered, it is suggested that options include an assessment, certification and are internationally recognised. 

Why it matters

• The DPO should have an appropriate level of expertise in data protection law and practices to enable them to carry out their role.
• However, data protection law does not specifically define the knowledge and expertise that is required.
• Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should proactively decide on the qualifications and level of training for their DPO.
• This can include courses delivered by specialist providers.  

What happened

• Recent talks in Brussels suggest that a new deal to enable transfers of personal data from the EU to the US may be on the horizon.
• However, officials have also rejected claims that a deal can be done before the end of the month.
• Representatives from the EU have stated that a deal can only be reached if the US makes legislative changes to limit how American national security agencies can access European data as well as giving EU citizens a more meaningful way to challenge that access in US courts.

Why it matters

• Seamless data transfers from the EU to the US are currently not permissible due to the ‘Schrems II’ ruling issued last year by the Court of Justice of the European Union.
• This means that organisations must now put in place certain safeguards and consider carrying out a risk assessment before transferring data.
• A new data transfer deal will reduce this burden on businesses and ensure more seamless data flows.