There are countless smartphone applications that have served as entertainment during these months. However, the most downloaded among the youngest, with over 500 million users, is the Chinese application "TikTok", which consists of generating and sharing content in the form of short videos on social networks.
Well, as always, its success puts it in the spotlight of third parties and there are already several legal gaps reported against the app. Firstly, from a copyright perspective, the application could infringe such rights in cases where copyrighted songs are being reproduced in its music videos - where users can play back specific song fragments - without having obtained the express consent of the copyright holders or without having paid the appropriate royalties to them. As evidence of this, the National Publishers Association in the United States has already warned that more than 50% of the publications made are unlicensed.
On the other hand, from a data protection point of view, while it is true that the app apparently complies with the General Data Protection Regulation 2016/679, the fact is that the capture of images linked to videos on the social network allows facial recognition technologies to extract biometric information, data categorized as particularly sensitive that the company is not treating as such. According to Reddit - the social platform that stores third-party comments on applications - TikTok is an application that works like Spyware.
However, the application has already had several legal drawbacks in countries such as India, the United Kingdom and the United States due to the illegal collection of user data. Specifically, it has recently been investigated in the United States for failing to inform users that their biometric data was being collected, captured, received, obtained, stored and/or used by the application, and was fined $5.7 million in March 2019 by the Federal Trade Commission (FTC), the regulatory body that protects U.S. consumers.
In our country, the app does not seem to be treating this data in an express way. However, if in the future it were to use, collect and process biometric data, it must expressly inform the user of such processing and must seek a basis for legitimizing such processing, in accordance with the General Data Protection Regulations and our Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. This cannot be the legitimate interest, as it involves particularly sensitive data, and therefore the explicit consent of the user must be obtained for the new processing.