Bans on TikTok Looming; Privacy Rights Violations, or Something Else?

Bans on TikTok Looming; Privacy Rights Violations, or Something Else? 

The Issue

        Breton, the European Commissioner for the Internal Market, has warned TikTok's CEO Shou Zi Chew that TikTok could face a ban in the EU if it does not comply with the Digital Services Act(DSA). Pressure has been mounting on TikTok from concerns from the US and EU over whether citizens' personal data could be accessed by Chinese government officials. Compounding on this was TikTok's admission that two journalists' TikTok data was accessed unlawfully by employees to identify leaks to the press. Although those employees were fired and TikTok's CEO stated such behaviour was 'unacceptable' in a public email, such breaches of privacy along with TikTok's own admission that employees in China could access European and US data significantly impacted public trust in TikTok's handling of personal data. 

        Currently the US government has banned TikTok on government-issued devices, with further legislation proposing a nationwide ban currently being proposed by US Senator Marco Rubio. These bans stem from concerns over "lack of transparency in how [TikTok] protects customer data" and fears over location-tracking of US military and politicians. These actions follow what India did 2 years ago, when they banned TikTok for "data collection by elements hostile to national security". TikTok has attempted to address these concerns and pledge towards greater privacy protections by releasing a new privacy update in November, but within that privacy update, they also stated that "remote access" to EU user data would be granted to employees in certain countries, including China. 

Why the concern? 

        These concerns over data collection by Chinese companies being accessed and used by the Chinese government is not new; similar suspicions over telecommunications data led to the banning of Huawei, ZTE, and such Chinese companies that manufacture or are otherwise involved in telecommunications infrastructure from the US as well as countries such as Japan and Australia. These concerns stem from China's National Intelligence Law which can mandate Chinese companies to grant government access to data if asked, without the option of refusal due to the 2014 Counter-Espionage law. If TikTok does not manage to successfully convince officials in the EU and US that they can affectively protect their data in compliance with privacy laws such as the GDPR, or if there are repeated breaches that threaten the safety of their citizens, it is possible that a total ban on TikTok may be enacted. 

        TikTok is also receiving marked attention due to not only such fears over foreign access of citizen data, but also due to its target and majority user base being young adults and minors; among the over 1 billion monthly active users, a third (32.5%) are under 19, and another 29.5% are between 20-29 years old. This puts the data collected and processed by the company as under the protection of child privacy laws, which in most countries tends to be more stricter and heavily enforced. For instance, Meta's Instagram was fined 405 million euros by the Irish Data Protection Commission for violating children's privacy rights in the GDPR. TikTok is treading a similar path, with France's data protection agency, CNIL, fining them 5 million euros for privacy violations centering around difficult-to-refuse and confusing cookies on its website. 

Are these the only reasons? 

        That being said, the TikTok ban and further proposed actions against the company arguably involve geo-political tensions just as much as privacy considerations. There has yet to be clear evidence that Chinese government officials have accessed and used TikTok's data for political (or other) gain. The leaks and issues so far have been internal employees of TikTok illegally accessing the data. Given the recent increase in US-Chinese tensions and the subsequent alienation of Chinese companies affiliated with the Chinese government, such as Huawei, TikTok may be just another step of reducing the influence of the Chinese government in the US and its ally nations. Additionally, the location-tracking feature that is of concern to lawmakers for its potential use in espionage, is a common feature of social media apps. One argument is that such nationalistic 'posturing' is being used to further the agenda of local politicians, which may include pushing a more comprehensive privacy regulation forward. 

Is TikTok the only social media company that has such privacy issues? 

        TikTok is far from unique in its data collection methods. Instagram and Twitter have used a similar recommendation model based on personalized user feed, and this in turn was partly the cause of Instagram's recent fines in the EU for violating the GDPR. Such algorithmic processing of user data to provide personalized results is a staple in personalized ads, which are used by most major online companies, including Google and Facebook. 

        That being said, TikTok is arguably collecting data in a more aggressive and intrusive manner than most of its competitors. Its default privacy settings collect far more than the minimal amount needed, such as user's contact lists, calendars, and device locations, as well as repeatedly asking for permission to collect such data if one changes the default settings to prevent it. There are also cybersecurity vulnerabilities, such as hackers utilizing TikTok trends to spread malware. Moreover, TikTok trends have arguably been the source of dangerous or negative behaviour, such as trends encouraging car theft, vandalism in schools, and general distraction from work or education. 

How have other countries reacted to TikTok? 

        In South Korea, TikTok already has a precedent of being fined 186 million won (around $150k) for mishandling children's data. At the time, this fine amounted to 3% of TikTok's yearly revenue, and came about due to TikTok's collection of data of children under 14 years old without legal consent of their guardians, as well as failure to inform that the data was being transferred overseas. In addition, recent tensions regarding TikTok's privacy protection seem to have discouraged other companies from approaching TikTok. For instance, Samsung's plans to provide TikTok with personal data of their users for targeted advertising purposes were cancelled last week. 

        Considering Korea's Personal Information Protection Commission (PIPC)'s recent declaration regarding their goals and objectives in 2023 (see here, No 45), it seems likely that TikTok will be included among online service companies that the PIPC intends to survey and regulate to protect Korean citizens' privacy. In particular, the PIPC specifies services that are highly integrated into people's daily lives, such as online communication and media, as well as adtech services that process data and use targeted advertising to be its primary targets for survey and regulation. The PIPC also specifies 'super-apps' as targets of survey, with priority given to apps with the largest active userbases. TikTok would almost certainly fall into one, if not all, of these categories. As the stated goal of the PIPC is preventative and early regulation of privacy protection, and given the precedent of the PIPC imposing significant fines on 'big tech' companies for privacy violations (see the 100 billion won fine on Google and Meta last September), it seems likely that TikTok will face scrutiny and possible regulation for its privacy practices that are already under fire by US and EU data protection officers. 

Conclusion

        Overall, it seems likely that TikTok's wave of bans and fines are more a symptom of both geo-political tensions as well as an overall rising awareness and regulation of privacy. While TikTok is hardly the first social media company to be punished for privacy rights violations in recent years - the Cambridge Analytica scandal of Meta and more recent fines on Google, Instagram, and Apple come to mind - they are under greater scrutiny for their links to the Chinese government. Huawei and such telecommunications companies with links to China were the first targets of censure by the US and its allies over fears of espionage and data abuse, and TikTok may be the second. 

        There is also the on-going development of privacy laws around the world to consider. Europe already has the GDPR, but in Canada, US, and in many other parts of the world, comprehensive privacy regulation is still being developed and discussed. As a global privacy framework develops, it is highly likely for tech companies that profit by processing user data such as TikTok, Meta, and Apple, to in turn be forced to adopt more stringent privacy protection policies or face censure and fines. Such a trend is a welcome development; despite the benefits of such data processing (such as targetted ads, more enjoyable viewing experience on TikTok and youtube, more accurate search results), they can also be just as easily abused to benefit companies (or governments) at the expense of the user (see the previous post on dark patterns as one such example).