TikToks potential breakup in the United States is pushing European regulators to reckon with the Chinese app — except they cant decide who is in charge.
Despite several open investigations targeting TikTok, legal wrangling over who has direct oversight is paralyzing Europes privacy watchdogs.
The situation highlights the inertia of a system that relies on a complex balance of power between dozens of regulators — and one lead enforcer — to apply the worlds strictest privacy rulebook, the GDPR.
It comes as U.S. President Donald Trumps administration piles pressure on the apps Chinese owners to sell off their U.S. business or face a ban.
So far, TikTok has enjoyed much warmer reception in Europe. On Tuesday, European Internal Market Commissioner Thierry Breton told POLITICO: “Im not in the business of banning any company. Im in the business of explaining very clearly what our rules are.”
While EU regulators have launched investigations into the app, uncertainty hangs over the probes until the question of where TikTok is legally established can be put to rest.
But it remains unclear what those rules are, or who should enforce them.
While EU regulators have launched investigations into the app, uncertainty hangs over the probes until the question of where TikTok is legally established can be put to rest.
In July, the company shifted key data protection functions to Dublin in a move toward becoming legally established in Ireland. It would give Irelands Data Protection Commission (DPC) direct oversight over the company for GDPR purposes under the blocs so-called one-stop-shop mechanism for privacy investigations.
But that has not stopped other regulators from launching probes. Frances CNIL data protection agency has launched an investigation into TikTok, as have its peers in the Netherlands, Denmark and the United Kingdom. A task force within the Continents privacy regulator grouping, the European Data Protection Board (EDPB) — set up at the behest of the Italian regulator — is also looking into the app.
Yet so far, the question of who is in charge remains open. The uncertainty risks undermining a system that has yet to finalize a cross-border investigation against a major tech company in the two years since the GDPR came into force.
“We strongly believe that there is a need for clarification and guidance when it comes to cross-border inquiries,” said Ernani Cerasaro, a data protection lawyer for consumer rights group BEUC. “More specifically, there is a need for administrative and investigative procedures (including the handover of the investigations) to be aligned.”
Whos in charge?
The central involvement of the Irish regulator underscores the extent to which Dublin has become a pressure point in Europes privacy system.
The DPC, which oversees Silicon Valley giants like Google and Facebook, is under mounting scrutiny by campaigners and consumer groups who say it is handling complaints at a glacial pace. It has yet to finalize a decision against Twitter for a 2018 data breach, its first investigation of a U.S. tech company.
But some of the inertia is a byproduct of the way the European system was set up.
Hamburgs data protection authority suggests its the complexity of Europes system for enforcing privacy rules that has led to paralysis over TikTok.
TikTok is very popular among young people | Philippe Lopez/AFP via Getty Images
“We still do not know clearly whether the lead supervisory authority is now the [Irish Data Protection Commission],” the agency said. “Such issues of responsibility paralyze the protection of rights and freedoms for those affected.”
While TikTok shifted key data protection functions to Dublin in July, it is yet to fulfill the conditions that would see the Irish regulator become its so-called lead regulator.
A spokesperson for the DPC said the EDPB task force is still examining whether the move triggers the one-stop-shop mechanism.
According to the EDPBs own guidelines, investigations have to be handed over to the new lead authority if the company under investigation successfully triggers the one-stop-shop mechanism before a final decision has been struck.
Tech companies have noticed the systems weaknesses and have tried to use them to their advantage.
Though regulators signed off on these rules — voting out alternatives like allowing investigators to hold on to probes if theyd started them before a companys legal establishment changes — they dont seem clear on what happens next.
The Dutch regulator has repRead More – Source
[contf] [contfnew] 
politico
[contfnewc] [contfnewc]
