By Jasper van den Boom & Sarah Hinck
This brief summary of the ByteDance workshop sheds light on its most important changes, some of the most relevant questions and answers in the Q&A, and shares some general observations. These reports are intended to represent facts and convey information on what was discussed during the workshops. They are not intended to provide normative considerations on whether the undertaking complies.
Opening remarks
ByteDance’s opening statements revolved around the arguments that they have already submitted in their designation and compliance reports. Firstly, ByteDance reiterated that it is the only designated entity with only one designated core platform service, noting that its power in the digital space is not equivalent to those of other regulated gatekeepers and raises questions about the necessity of the designation. This relates to the viewpoint given in their designation decision, as ByteDance is newer and smaller in size than other regulated incumbents, it should be viewed as a challenger and not an incumbent gatekeeper. In support of this idea, ByteDance reminded the Commission and audience that they have not been subjected to any antitrust investigations, unlike the other regulated gatekeepers.
ByteDance’s compliance strategy is relatively straightforward, as they maintain that most provisions do not apply to them as they do not operate an ecosystem of services. Where the DMA does apply, they consider themselves already compliant. As a result, they only discussed changes related to articles 6(9)-(10) DMA in the first session and 5(2) and 15 DMA in the second sessions. These changes only related to their social media service TikTok. It should be noted that ByteDance has also objected against the designation as a social media platform. ByteDance – in line with their observations submitted for the designation decision – argues that it should be viewed as a video-sharing platform as it does not require users to be connected to users, users do not have to post content, and most users do not post content.
Data portability and access – Articles 6(9) and 6 (10) DMA
ByteDance’s discussion on data portability and access started with a reminder that they already offer data access and portability services to their users. ByteDance offers its Download Your Data (DYD) portal, where users can download all their data so that they can access it or send it to other parties. On article 6(9) DMA, data portability for end-users, ByteDance has made several changes to their existing DYD tool.
First, they have made improvements to the DYD tool, including access data speeds and offering more granularity in selecting data for end-users. Previously, end-users could only download all of their data in one file. Now, end-users can make a selection which may include or exclude their posts and profile, activity, direct messages, or all data. Before the changes, sending this data would require 1 to 2 business days, now it will happen in a matter of seconds.
Second, ByteDance has amended its systems to allow for direct transfers to third parties by developing its Data Portability API. The Data Portability API allows third parties to integrate direct data access into their services. Users are able to authorize third parties in collecting data through either a one-off authorization or a recurring request, allowing developers to make periodical requests over time. The recurring requests expire after a year, users can revoke authorization in the meantime. Users can also customize which type of data they wish to be ported. ByteDance has provided details on how third parties can apply for access to the API. For this, third parties must make their onboarding documents and reasonable conditions of use publicly available. TikTok will conduct a review of the application of third parties to ensure the safety and security of users. ByteDance argues that this process is objective and transparent, and its sole purpose is to block malicious parties from gaining access to user data.
On 6(10), ByteDance has explained which types of data it offers to business users. Here, they explained that ByteDance already offers vast quantities of relevant data to their business users free of charge. TikTok also offers tools for business accounts and authorised third parties that offer insights into data from these accounts and their activities on TikTok and the user engagement with this account. TikTok shares data generated by the business user, whether provided or generated on the basis of its activities, aggregated non-personal user engagement data, and end-users data that is available to end-users. The last category of data includes data on direct communications and interactions between the end-user and the business user.
Business users have access to multiple tools to access this data, including downloading it through DYD, looking at aggregated end-user data in the Business Analytics portal, and obtaining data through the Accounts API. ByteDance offers documents to provide guidance on how business users can access and use data.
The biggest questions relating to ByteDance’s compliance strategies relate to their data access and data portability API. Many of these related to the verification process for access to the Data Portability API and the conditions for access. ByteDance has set out their review process, and has remarked that it may take 3 to 4 weeks before access is available. It must remain to be seen whether it is sufficient to offer recurring request moments, and if allowing for a period of one year (and not more customization of the period) is sufficient. Offering recurring request moments may not constitute real-time data access as mandatory under the DMA. For now, ByteDance believes that it is compliant.
Data processing, consumer profiling – Articles 5(2) DMA and 15 DMA (& other relevant provisions)
In the second session, ByteDance discussed their compliance with 5(2) DMA and 15 DMA. The discussion on art. 5(2) DMA was brief. ByteDance reminded the Commission that it does not operate an expansive ecosystem of products and services and therefore does not share data between them. They do note that allowing large ecosystems to share their data across services may provide them with a (potentially undue) competitive advantage, likely in reference to their challenger status. ByteDance walks through its consent flow screens and the information provided to users briefly, to explain how they obtain consent.
The discussion on art. 15 DMA is more elaborate, it is also the only time art. 15 DMA is discussed during a compliance workshop. ByteDance explains that they have engaged in the activities required for the development of the article 11 consumer profiling report. These activities were being audited by KPMG at the time of the workshop, and results were expected soon, but they expected that the Audit would show them to be compliant.
Internally, ByteDance has reviewed the requirements under article 15, in particular 15(2) DMA. From this review they have compiled a list of all product features which could potentially fall within the scope of the TikTok platform service. Then, to discern whether data falls in the scope of the requirements or not, they developed a scoping methodology. It then focused on which models were relevant for profiling. First, it discerned if the model applies to TikTok users and users in the EU. Second, it was seen if the model related to interests, behaviour or demographic details or location of the users, Third, ByteDance looked at whether the user was a consumer as used in article 15 DMA. ByteDance then relied on a line by line review and we have created a centralized list. ByteDance notes that these models are narrower than profiling techniques, as a profile technique tends to relate to a number of different models.
In terms of activities related to the audit, ByteDance explained that it first had to scope out how the auditor understands profiling, then to understand how profiling techniques are understood in the DMA and by the auditor, and then develop an internal and external team to support the audit. The auditor was chosen through a strict procurement process, signatory processes and numerous ranks of engagement letter drafting. This took quite some time and effort to complete.
ByteDance then produced a number of reports for audit by KPMG. These reports included analyses of the TikTok environment to develop an understanding of the data protection interests of users and the characteristics of the services provided by TikTok; created a methodology to assess the relevant profiling techniques; helped the auditor to come to understand ByteDance’s internal control environment for implementing the techniques; they determined whether this control environment was accurate; then further risks were identified. The control environment consists of assurance procedures which include discussions with management, staff for developing profiling techniques, staff responsible for providing information etc. Finally evaluating internal and external documentation to look at the reliability of the reporting.
ByteDance concluded their presentation by again explaining what profiling means and what it is used for. This may be for personalization of TikTok services, but can also help to create or recommend safety features for users. ByteDance wanted to emphasize the difference between these types of profiling.
The Q&A mostly discussed the shape and neutrality of the choice and consent screens for users, as these differed between the presentation and the compliance report. Moreover, questions were raised about the definition of consumer for the purpose of consumer profiling. ByteDance argues that it relies on the definition of consumer as used in the Consumer Rights Directive, being “any natural person who is acting outside of his craft, trade or profession”. However, business users are identified by TikTok through self-registration. This raises the question whether their definition of consumer aligns with how they distinguish between business users and consumers in practice.
Observations
ByteDance’s workshop, like its compliance report, seemingly raises only few questions with observers. The discussions in the workshop mostly mirrored the statements made in the compliance reports, and ByteDance maintains that they are compliant with the provisions that apply to them. The most interesting part was the discussion on art. 15 DMA, not only because this is the only time this provision has been discussed in any workshop and gives insight into the processes of the gatekeeper, but also because it raises questions about definitional issues in the DMA. The term consumer is not defined in the DMA itself, but in other EU secondary legislation. Finally, it must be seen whether ByteDance’s compliance strategy will need reviewing if their advertising service is also designated as a CPS, a procedure that is currently ongoing.