Is TikTok tackling elections?
On this weekend's repeated Romanian presidential elections
Romania is going through some difficult times: it is repeating its presidential elections due to TikTok’s involvement in influencing the results.
24 November 2024 was a peculiar day for Romania: Călin Georgescu, an independent candidate with a far-rightist background, won the elections with 23%. While he won only with a small margin over candidates, the surprise was that he was polled to 4-5% before the elections. After some investigations of the Romanian secret service, it was revealed that TikTok’s algorithm was exploited by a mysterious “state-actor”, not specifying the potential state behind at the time. As a result, the Romanian constitutional court annulled the results on 6 December, and investigations are still ongoing against Călin Georgescu, and the presidential elections had to be repeated. On 4 May, ironically, another far-rightist politician won the first round with an even higher support of 40%, and the second round is ongoing as of now to decide between the two remaining candidates.
I do not wish to dive too much into Romanian politics, but a more burning question comes into mind: how did this happen? Doesn’t the EU have the most stringent rules on data protection and digital services? What is the benefit of all these laws is such a situation cannot be prevented?
Why is TikTok processing political data in the first place?
This is where the GDPR1 should be able to guide us.
As a general rule, the processing of data revealing political opinions as sensitive data is prohibited in the EU2, unless there are certain exceptions. Two of these can be feasible in this situation: one is the explicit consent of TikTok users, the other is when the data is manifestly made public by the users.
As for the first option, the fun fact is that TikTok doesn’t ask for explicit consent for processing political opinions, nor for any data under the GDPR. I could assess EU TikTok’s Privacy Policy to understand their approach on processing political data, but, unfortunately, there is no such reference. There are, however, interesting things, such as: “With your consent, we serve you with personalised ads based on your activity on and off the Platform”, practically meaning that whatever data gets in TikTok, it will go out of TikTok. To top that, once you get in, TikTok will also automatically start collecting data about you from other websites via TikTok Pixel to give you more efficient doom-scrolling. They can also collect data from publicly available sources, government authorities, professional organisations, and even charity groups (!) (“Information From Other Sources” section).
Although the GDPR is not applicable in the US, given the current political sentiment aiming to ban TikTok, there is a remarkably different tone in the US version of the policy on consent:
If you choose to engage in public activities on the Platform, you should be aware that any information you share may be read, collected, or used by other users. You should use caution in disclosing personal information while using the Platform. We are not responsible for the information you choose to submit.
Whether TikTok relies on consent, or blaming its users manifestly “making public” the information they share to justify its practices to process political data, it is not clarified from the GDPR’s perspective.
To prove that it’s not me being picky, TikTok has been also under fire by data protection authorities for a lot of other reasons:
A €530 million fine (~$600 million) for transferring data from the EU to China a few weeks ago, ranking the 3rd highest GDPR fine so far.
Another €345 million fine (~$388 million) for making children’s profiles public by default. By the way, adult’s profiles are still public by default - you might want to check your settings.
€14.5 million (~$16 million) had to be paid for allowing more than 1 million children users under 13 only in the UK without parental consent. If you have kids, you might also check their settings.
Coming back to the Romanian elections, it seems that nobody contested TikTok’s consent model or lawfulness to process political opinions under the GDPR. The European Commission chose another direction: to use the EU’s brand-new Digital Services Act (“DSA”)3 to force TikTok to closely monitor Romanian elections.
The EU Commission ordering TikTok to clarify the situation under the DSA
TikTok responded rather rapidly to the EU’s call, claiming to having removed several million fake likes and follow requests, more than one hundred thousand spam accounts, close to 60 accounts impersonating Romanian politicians and officials - in the weeks after the already annulled election results. They have also revealed ties to Sputnik Media, which confirms Russian intervention into Romanian elections by manipulating TikTok’s algorithm.
Although these measures were applied retroactively, and the harm was already done, I have to acknowledge that the mechanism under the DSA was working fast. The reason for this is that this law is still relatively new: it came into force in 2022, with further obligations gradually put into place over the past years by the European Commission. Another reason that explains TikTok’s rapid response to the EU Commission is that very large online platforms can be fined for up to 6% of the annual turnover of the company or their services can be temporarily suspended in the EU. While the EU is often accused of issuing large and blurry regulations, it did a good job on issuing specific guidances: prior to the elections already it has issued guidelines on the mitigation of systemic risks for electoral processes. These guidelines require for example tagging influencer’s content as political ads, early detection of financial incentives for disinformation, preventing impersonation of candidates via fake accounts, etc.
TikTok has also issued mandatory public reports about its obligations under the DSA, where they made the following statement about political ads:
Political ads: TikTok does not allow political advertising in Europe on the Platform. With almost half of the world’s population voting in national elections in 2024, bringing a higher volume of potential political content to the Platform, there is a heightened risk that TikTok encounters difficulties in detecting and enforcing against political content in ads
The report includes detailed assessment on the risks of TikTok is posing to elections and civic integrity, such as election misinformation, fake engagement, geopolitical factors (consider that the war on Ukraine is close to Romanian borders), AI, etc. However, while it is indeed an interesting read to understand the background of the Romanian elections, and potential malpractices in any countries, it is evident that TikTok failed to prevent this and the elections results were clearly biased at least once.
Conclusion
TikTok first appeared as a harmless platform mostly used by kids for sharing memes in short videos between each other, and in a matter of a few years, it became a powerful weapon to influence elections by playing out its algorithm. From a privacy professional’s point of view, it is interesting that no GDPR complaints were raised on this and that a more recent regulation was used to force TikTok to remedy the situation.
As a takeaway, be mindful that TikTok - or any social media platform - is logging what content you consume, whether it is political or not, and it will share your data cross-platform, without you knowing about it. Another issue with such algorithms is its black-box effect: even its creators cannot fully explain why you’re seeing a certain type of content. As a consumer, another risk you’re facing is an information bubble: social media platforms will only share with you content based on your already existing interests, meaning that you can receive information from one political side only. When one of these sides is using an army of fake accounts, you can see where this can lead.
Consider what you consume online, check your privacy settings on all social media platforms, and even delete your preferences from time to time. If you’re curious what information TikTok holds about you, send a right of access request to them, and they have to show you what preferences you hold according to them. Take more control of your information, or others will do so.
General Data Protection Regulation or Regulation (EU) 2016/679.
Article 9(1) GDPR
Digital Services Act or Regulation (EU) 2022/2065.