With more than one billion downloads, TikTok (formerly known as Musical.ly) became one of the most attractive social media platforms in popular culture. As the popularity is expanding globally, it is inevitable for the governments to review on the app. Like many of those, TikTok has also being investigated as the major data security and foreign investment concerns have been emerged in different jurisdictions since those two falls into national security laws and policies.
U.S. Perspective: Major Threat for National Security
It is well known that an economic war between People's Republic of China (“China”) and United States of America (“U.S.”) surfaces time the time on different subjects such as government sanctions or export regulations. Since TikTok is created by developers in China, it has been seen as a potential security concern by certain U.S. authorities to the extent that information of government employees who already have or may have authorization to access to the sensitive information may be divulged or compromised.
Since collection of data related to these specific individuals and their daily activities, such as their location data or search engine history, possesses certain risks due to the possibility of information related to the national security to be disclosed or to be used for blackmailing purposes to target these individuals; U.S. Department of Defense along with U.S. Navy and U.S. Army urged its employees to refrain from downloading or using the app. Furthermore, on March 12, 2020, Senator Josh Hawley presented a bill titled “No TikTok on Government Devices Act” to the senate stating that TikTok should be banned for use and downloads on government-issued mobile devices. Moreover, the Act defines TikTok as a national security threat to U.S. persons who are not currently working as a government employee. The main concern here is these persons also have potential to become a government employee and carry sensitive tasks in the future as explained above.
Avoided Foreign Investment Regulations
Besides the national security risks deriving from data collection, The Committee on Foreign Investment in the United States (“CFIUS”) is reportedly opened an investigation on TikTok because the parent company of TikTok, ByteDance, did not explicitly requested clearance from the CFIUS on its acquisition of similar American app Musical.ly in 2018. This situation could potentially result ByteDance to unwind the merger of Musical.ly (currently TikTok) entirely due to CFIUS’s authority to examine and act on transactions which will result in the acquisition of an US-based strategically important tech company’s control by foreigners. This would not be the first time to see CFIUS to use its authority to order of the sale of a company based in China. In 2020, CFIUS ordered the sale of Grindr, a dating app, since it decided that ownership of the US company by Chinese gaming company Kunlun Tech caused a national security risk. Same restrictions may potentially apply to Tiktok due to ByteDance’s close relation with the government of China. ByteDance’s joint venture with a state-owned Chinese media group causes its close relations with the government of China and increase the concern regarding potential national security risks.
Intelligence Operation Requirements
U.S. authorities reportedly opened further investigation on TikTok due to the legal requirements which ByteDance, Chinese parent company is subject to. Such legal requirements force ByteDance to co-operate with the Chinese government for intelligence operations which might result in transfer of location, image and biometric data as per National Intelligence Law of China. Even though TikTok published a statement on November 5, 2019 indicating that U.S. citizens’ data is managed by U.S. employees and not subject to regulations of China, the major concerns regarding national security is yet to be alleviated.
To eliminate any possible legal risks, companies should check all possible government sanctions and regulations before they make any investments in the relevant market.
EDPB of EU to Establish a Taskforce
On June 10, 2020 European Data Protection Board (“EDPB”) announced that it has decided to establish a taskforce to “coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU” during its 31st plenary session. Prior to the EDPB’s decision, Dutch Data Protection Authority had already announced that it shall investigate TikTok in regard to the processing of the minors’ personal data on May 8, 2020.
The Transfer of Personal Data to Third Countries
As stated above, due to the legal requirements which TikTok is subject to may cause all personal data processed through such application to be transferred abroad. Pursuant to the General Data Protection Regulation (EU) (2016/679) (“GDPR”), personal data may only be transferred to third countries or to international organizations from a data controller which falls under the jurisdiction of the European Union (“EU”)/European Economic Area (“EEA”) if the adequate level of protection to data subjects’ rights are provided.
In case that such legal requirements force the data collected through such app to be presented to the public intuitions in China, there will be a data transfer and processing by such public intuitions without necessary information to be provided to the data subjects in this regard as per article 13 and 14.
The Processing of Minors’ Data
Children need more specific and complex protection when their personal data is being collected and processed, since they are less aware of the risks involved in such processing. Even though TikTok, like most of the social media platforms, requires user to accept terms and conditions indicating that they are fulfilling national age limitations in context of being legally able to consent, it is unclear whether solely imposing such terms and conditions on users without any further adequate safeguards covers the principles of data protection by default and design under the GDPR. The conclusions of above-mentioned investigations are expected in the following months in this regard.
In 2019, TikTok had settled with U.S. Federal Trade Commission to pay a fine due to allegations on unlawful collection of minors’ data as per the Children's Online Privacy Protection Act and inability to seek parental consent before collecting personal data, such as names and e-mail addresses, of the users under the age of thirteen. Furthermore, Information Commissioner’s Office had also launched an investigation in this regard against TikTok. Such background resulted in TikTok to introduce ‘age gate’ and remove unlawful personal data from its platform, yet, there are still data security concerns on above mentioned issues.