On March 24, 2023, TikTok CEO Shou Zi Chew faced the House Energy and Commerce Committee of the United States Congress for an investigation by the FBI and the Department of Justice regarding data privacy and security concerns. The U.S. alleged that ByteDance, the China-based parent company of the popular video-sharing app, might leak sensitive data of TikTok users in the U.S. to the Chinese government, which TikTok denied in response.

Weeks earlier, government agencies in the U.S. were provided a window of 30 days within which to remove the app from federally-owned devices and systems because of these issues. Today, usage of the app is banned on federal, public sector and state employees’ phones in 32 states. Even certain universities in the U.S. have banned TikTok, among them the University of Texas and Auburn University.

The possibility of a nationwide ban looms as well, with the U.S. House Foreign Affairs Committee voting in March 2023 for a bill that will allow President Joseph R. Biden to ban the use of the app across all devices in the country.

To help address these issues, TikTok proposed Project Texas, an initiative to move user data from the U.S. into a third-party cloud infrastructure. All data gathered by the app are currently stored in Virginia and Singapore.

Aside from the U.S., several other countries have banned the app for similar concerns, but mostly on government devices. Among these countries are the U.K., Canada, France, Australia, New Zealand, India and many member states of the European Union.

“It is fair to observe that data privacy concern is not the primary driver for banning TikTok, given that whatever precautionary measures taken by TikTok to address such data privacy concern met outright rejection under the umbrella pretext of ‘national security,’ as advocated by the U.S.,” said Guo Cai, a partner at Jin Mao Law Firm in Shanghai.

“We take the view that TikTok is banned under the fear that ‘big data’ generated by this unprecedentedly popular app could get out of traditional regulatory control, posing threats to so-called Western ideology in light of TikTok’s Chinese shareholding background. That explains why TikTok was banned first and foremost in government and university campus, the front battlefield of ideology,” added Rui Qiang Xie, also a partner at Jin Mao Law Firm in Shanghai.

“Most social media services – if not all – are free to use, even though the costs are high in rendering those services,” noted Panisa Suwanmatajarn, managing partner of The Legal in Bangkok. To cover these expenses, she explained that service providers need advertisements to shore up funds that will enable them to deliver their services. However, users’ personal data are needed to run effective advertisements, and running a better system for users requires personal data and user experience.

Needless to say, TikTok is not the only service provider that collects personal data and user experience. All, if not most, service providers also do so.

“The critical point is that users are well-informed about these collections before they are collected, and they have the choice of avoiding them or not,” said Suwanmatajarn. Regardless of the users’ choice, governments should not intervene as it is a personal matter to the individuals. In addition, those working on matters with intelligent information or national security concerns are trained or should have been trained to keep such information confidential.

She stressed that if any government wants to ban any social media for any cause, with or without reason, they could do so but only for government employees as those employees are on the government’s payroll. Citizens should have the freedom to do or not to do this kind of thing.

“All governments want to know what is going on in social media, who is doing what, and more importantly what the government’s opponents are doing,” she added. “The Chinese or U.S. governments would not do any different.”

In April 2023, Australia joined the list of governments that banned TikTok from devices issued by the Australian federal government. According to the article “Australia-wide ban of TikTok on government devices announced as senior politicians quit the app” published in The Guardian, the government said in its announcement that the app “poses significant security and privacy risks to non-corporate Commonwealth entities arising from extensive collection of user data and exposure to extrajudicial directions from a foreign government that conflicts with Australian law.”

Asked if he agrees with the ban, Alan Polivnick, a partner at Watson Farley & Williams in Sydney, answered: “As long as the law continues to recognize that government-supplied devices are not personal property, the government will continue to have the right to control the use of such devices. Currently, the holders of a government-issued device are not prevented from downloading TikTok on their personal devices. As conflicts and disputes increasingly involve and revolve around cyber security, cyberattacks and cyber warfare, moves to control the use of government-issued devices are likely to increase and broaden.”

According to Polivnick, data privacy laws in Australia provide minimum standards, rights and methods of redress for data privacy breaches and a system of compensation. While they can be updated, he said that updating the laws will serve little purpose when it comes to an app operated by an offshore entity with no presence in Australia. Difficulties in enforcing judgments, administrative orders and penalties outside Australia will make things worse.

“The strongest data privacy protection and the toughest data privacy protection laws serve little purpose in relation to apps operated by offshore entities if they cannot be enforced against the operators of such apps,” he said.

In Asia, the first jurisdiction to resort to banning TikTok was India. In June 2020, security and privacy issues prompted the Ministry of Electronics and Information Technology (MEITy) to implement a nationwide ban on TikTok, WeChat and 58 other Chinese apps. MEITy stated that such applications are “prejudicial to the sovereignty and integrity of India, defense of India, security of the state and public order.”

In January 2021, the ban became permanent.

According to Gautam K.M., a partner at K Law (Krishnamurthy & Co.) in Mumbai, India does not have express legislation governing data privacy and protection. However, personal data was included in the scope of data protection of the Information Technology Act, 2000, which was amended by the Information Technology (Amendment) Act, 2008.

On April 11, 2011, the government of India notified and published the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011.

Subsequently, the government appointed the Indian Computer Emergency Response Team (CERT-In) as the national agency for cyber security under the provisions of Section 70B of the IT Act and Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. CERT-In Rules was brought into force on January 16, 2014.

In 2022, MEITy published the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill) for public input. The DPDP Bill, which replaced the Personal Data Protection Bill, 2019, aims to regulate data processing done outside India in connection to profiling and give data principals, whose digital personal data is processed, the right to control the extent to which their personal data can be used.

The bill has also introduced transparency in the current system so that the data principal is aware of the use and/or misuse of his or her personal data by third parties, including data fiduciaries. However, the bill has its share of lapses, according to Gautam.

He noted: “The proposed DPDP Bill is not exhaustive enough and has certain lacunae and exposures, including the scope of deemed consent where such processing is necessary, the approach taken towards the cross-border data transfer, the restrictive applicability of the legislation on digital data instead of aiming to protect all personal data of individuals and the ambiguities in the timelines within which the compliance of the provisions of DPDP Bill will be mandatory. For the mechanism of such compliances, technological advancements are not taken into consideration, and the applicability of the provisions of the DPDP Bill on AI, blockchain, etc.”

For its part, the Taiwanese government is studying the possibility of following in the footsteps of India and imposing a nationwide ban as well. In the meantime, a public sector ban has been ongoing since December 2022.

Asked if she believes TikTok should be banned in Thailand, Suwanmatajarn replied: “If TikTok is the only service provider that is banned for the reason of collecting personal data and user experience, what about other service providers that are doing the same as TikTok is doing?”

She notes that TikTok and other social media providers collecting and monitoring the personal data of people in Thailand are subject to the country’s Personal Data Protection Act (PDPA). Under the act, which follows the European Union’s General Data Protection Regulation (GDPR) as a model, social media providers should have the user’s consent before collecting his or her personal data. Hence, users should be clearly informed of what will be collected from them, and what the collected data will be used for.

In China, significant progress on legislation has been achieved in recent years to protect data security and personal information. Most recently, in March 2023, a government-led national data bureau was created to coordinate the construction of data infrastructure, data sharing and the development of data resources.

“Most Chinese netizens active on the internet were born after the 1990s, who, compared to their elder generations, are more vocal and embrace self-expression more. The Chinese culture is not loaded with excessive concerns for privacy. Consequently, most Chinese netizens do not worry about their data protection issues by using social media apps, such as Douyin and WeChat,” explained Xie. Douyin is the Chinese equivalent of TikTok.

Alternatives to TikTok banning

“The restrictions on TikTok highlight the limitations of national or supra-national data privacy laws in dealing with offshore and online platforms, which cannot be effectively prosecuted without a local ‘on the ground’ presence,” said Polivnick. “This is one of a number of legal issues where the technology and operations are developing and changing more rapidly than the relevant legal and regulatory regimes.”

Aside from banning or prohibiting the use of TikTok and other such applications, there are legal and regulatory remedies that can be undertaken to address data privacy issues involving these foreign-owned apps, including those owned by foreign companies with ineffective data privacy policies. The following are the measures Gautam and Suwanmatajarn shared:

• There should be deemed consent. The data principal must be fully aware of the extent of the process of collection, organization, storage, alteration, retrieval, use, alignment or combination, indexing, disclosure, etc. of their data either by the data fiduciary or data processor and should be able to grant express consent for the same.

“In order to address situations wherein it will be practically impossible to seek express consent, but the data principal would expect the scope of the grant and the ‘deemed consent,’ such instances can be carved out as specific exceptions of ‘express consent,” said Gautam.

• The data fiduciaries collecting data must be made to store such data on the servers located in India. This is to avoid cross-border transfer of data and as mandated by Reserve Bank of India vide its Directive 2017-18/153, dated April 6, 2018, and issued under the Payment and Settlement Systems Act, 2007.

If this issue is not addressed in the DPDP Bill, Gautam said it may cause conflicts in legislations enacted for a particular sector regarding collection, organization, storage, alteration, retrieval, use, alignment or combination, indexing, disclosure, and others, of their data. Data localization would also ensure the accountability of the data fiduciaries.

• Data fiduciaries and data processors must adopt and make public robust data protection and security policies in line with the applicable legislation so that its users or data principals know their exposures and understand the extent and purpose of the data collection, organization, storage, etc. At the same time, they also learn of the recourses available to them if there is a breach of their data.

• Data principals must be given the right to instruct the data fiduciary and/or the data processors to delete their data from all places where such data is stored.

• “Until robust legislation is enacted, data principals must ensure that any disclosure of personal data or information must be vide an executed agreement with the data fiduciary and/or the data processor to lay contractual obligations on the data fiduciary and/or the data processor and the same can be enforced,” said Gautam.

He added that data principals should also build safeguards like indemnity and termination rights to cover situations wherein the data fiduciary and/or the data processor breaches the security.

• The contract between the data fiduciary and data processor must implement model clauses. This is when data processors located outside India are processing data of Indian nationals and if the legislation applicable to such data processors is not as robust as the law in India. The said clauses impose stringent obligations on the data processors akin to the obligations mandated under the DPDP Bill, which is similar to the mandate available under the GDPR legislation, according to Gautam.

• The law should be diligently enforced, as having robust and up-to-date laws is not enough.

“While Thailand does have PDPA in place, the Thai regulator will diligently enforce the law and does not take a defensive approach like many other regulators, who are waiting for an injured person to file a complaint or only enforce matters in the news,” said Suwanmatajarn.

• A secure system like blockchain for government services should be set up.

“Nowadays, not all government agencies have a proper system for communicating internally for confidential matters and externally for services at large. Some are using foreign-owned systems to communicate,” noted Suwanmatajarn.

In addition to these measures, individuals should always carefully read the terms of use and privacy policies of TikTok and other service providers before accepting them. They should also continuously check their settings and app permissions and restrict app access accordingly.

“It is our view that prohibition or outright ban evades rather than solves the challenges posed by the fast advancement of technologies, such as those embodied by TikTok and significantly, ChatGPT, for example. Prohibition of TikTok does not eliminate the privacy or alleged national security concerns at all, as more apps and advanced technology would continue to emerge and challenge the limits of regulatory enforcement. It is not to be forgotten that other social media tools such as Twitter or Facebook analyze and use big data as well,” said Xie.

Cai agrees.

Xie further said: “To target one single app because of its geopolitical origin will, for sure, meet robust legal challenges on constitutional law basis. Perhaps it is more reasonable or realistic to come up with means to regulate rather than to ban it entirely just because banning is much more convenient or politically correct.”

Guo Jun, a partner at Jin Mao Law Firm in Shanghai, also contributed valuable insights to the author of this story.

- Espie Angelica A. de Leon