People in street showing the case of TikTok and Privacy Shield

TikTok and Privacy Shield: When Governments Battle Over Privacy, Businesses Lose

Three Pillars Businesses Need to Avoid Finding Themselves in Similar Situations

“The summer of 2020 will be remembered as the ‘Summer of ____.'” That sentence can be completed by an unusually long list of candidates, and one of them is this: the summer of 2020 is when we saw privacy concerns played out on a global, geopolitical scale.

In the well-reported cases of both TikTok and Privacy Shield, governments took decisive action to protect their residents from potential abuse by other governments. Understanding the similarities between the two cases helps identify the trends and elements involved in order to [hopefully] recognize if and when similar cases are looming. It also presents businesses with steps they can take to adjust to the evolving environment.

The TikTok and Privacy Shield cases bear similarities

In mid-July, the European Court of Justice invalidated the Privacy Shield program due to concerns over the U.S. government’s ability to access the personal data of European Economic Area (EEA) residents. Earlier that month, the U.S. government raised the idea of banning TikTok over similar concerns, in this case the Chinese government’s access to the personal data of U.S. citizens. TikTok has since sued the U.S. government, saying its platform is not a national security threat as claimed by the current Administration.

The two cases are also similar in that both governments took swift action to address the concerns. Europe deliberated the Privacy Shield case in the courts for months, but once the invalidation decision was made, it took effect immediately — no compliance grace period for the companies relying on the program. The U.S. ban of TikTok was just as decisive, although the looming court case along with the potential of a U.S. investor in TikTok leaves the outcome up in the air.

An argument can be made for other similarities between the cases as well. For example, no formal evidence that the abuse the governments are concerned about is, in fact, taking place. Also, both invalidations and bans are more symbolic than practical in preventing the sophisticated intelligence agencies of the U.S. and China from getting information that is of interest to them. Furthermore, it will be difficult to police companies that continue to move personal data to the U.S. without the expected legal protections, just as it will be difficult to prevent individuals from finding creative ways to use TikTok if it is banned.

As American Civil Liberties Union’s (ACLU) Surveillance and Cybersecurity Counsel Jennifer Granick put it, “we should be concerned about the risk that sensitive private data will be funneled to abusive governments, including our own.”

Three things businesses need to know about their personal data

As this new paradigm is defined, companies need to be ready to improve control over the importing and exporting of personal data to and from other countries — not an easy thing to do. Many companies pour significant resources into protecting their data from attackers — and for good reason — but they also need to think about controlling the movement of personal data within their own network or to their partners.

There are three key things businesses need to know in order to make this a reality:

  • What personal data exists across their global IT environment, and where around the world those data repositories are located.
  • The identities behind the personal data and their respective countries of residence.
  • The authorized users and/or recipients of the personal data and the countries where the personal data is processed.

These three data points are the pillars needed to address the concerns of the Court of Justice in the EU and of the U.S. It can be presented as a formula: [data subject’s country of residence] + [location of the data] + [location of the user] = [cross-border transfer].

In the end, this type of strategy will be paramount as concerns over privacy on an international level are only likely to grow. For businesses wondering if they should apply this formula to their data, the answer is simple: if they operate in at least one country with an omnibus privacy regulation, they probably already have to.