TikTok and Privacy Shield: When Governments Fight Over Privacy, Companies Pay a Price

July 2020 saw privacy concerns played out on a global, geopolitical scale. With both the TikTok and the Privacy Shield cases, governments were taking decisive action to protect their residents from abuse by other governments. Pointing to the similarities between the two cases is important for detecting emerging trends if more cases of similar nature emerge. The details are also important as companies try to identify any concrete steps they could take to adjust to this shifting environment.

The Similarities

Only a couple of weeks ago, the European Court of Justice invalidated the Privacy Shield program due to concerns over the US government’s access to the personal information of European Economic Area (EEA) residents. Earlier in July, the US government first raised the idea of banning TikTok over similar concerns, this time regarding the Chinese government’s access to the personal information of Americans. This weekend the rhetoric has escalated suggesting such a ban most likely imminent.

Another similarity between the two cases is the swift action the governments are taking due to these concerns. While the Europeans deliberated the Privacy Shield case in the courts for months, once the invalidation decision was made, it took effect immediately. Providing no compliance grace period for the companies relying on the program. The ban of TikTok, as currently discussed, seems just as decisive. In fact, news on August 1st indicated that the negotiations between Microsoft and TikTok’s owner, the Chinese company ByteDance, were put on hold after the White House expressed a preference for the ban, rather than an acquisition by an American company.

An argument can be made for other similarities: in both cases, there is no formal evidence that the abuse the governments are concerned about is, in fact, taking place; both the invalidation and the ban are more symbolic than practical in preventing the sophisticated intelligence agencies of the US and China from getting information that is of interest to them; and, it will be difficult to police companies who will continue to move personal data to the US without the expected legal protections, just as it will be difficult to prevent individuals from finding creative ways to use TikTok if it is going to be banned.

Concerned about free speech due to the suggested ban of the app, the American Civil Liberties Union’s (ACLU) Surveillance and Cybersecurity Counsel, Jennifer Granick, captured the commonality between the TikTok and the Privacy Shield cases when she said on July 31st that, “…we should be concerned about the risk that sensitive private data will be funneled to abusive governments, including our own .”

The Lesson

Companies must be ready to improve their control over the importing and exporting of personal data to and from other countries. This is not easy to do. Many companies have spent significant resources on protecting their data from attackers, rather than controlling the movement of personal data within their own network or to their partners. This is especially true when dealing with third parties. Vendor management programs are still heavily focused on financial efficiencies and the security programs the vendors have in place, rather than on the use of their data by their processors and their various sub-processors. The foundational building blocks of the needed capabilities companies should adopt may appear simple but are hard to implement effectively:

  1. Know what personal data you keep across your global IT environment, and where around the world those data repositories are located.
  2. Know the identities behind the personal data and their respective countries of residence.
  3. Know the authorized users and/or recipients of this personal data and in what countries the personal data is processed.

These building blocks represent the data points needed to address the concerns of the Court of Justice in the EU and of the US. It is a formula of sorts:

[data subject’s country of residence] + [location of the data] + [location of the user] = [cross-border transfer]

For companies that are wondering whether or not they should really invest the necessary resources to apply this formula over their data, the answer is simple – if they operate in at least one country with an omnibus privacy regulation, they probably already have to.

Dataguise Can Help

At Dataguise we believe good privacy management starts with good data management. Companies that do not take data privacy and data security seriously face significant financial, legal, and brand damages. Not to mention the fines for non-compliance with evolving laws.

The problem is that personal data is extremely difficult to manage, and it is getting harder all the time as data volumes grow and data gets stored, used and shared all over the world, both on prem and in the cloud. And many times, companies have personal data that they didn’t even know existed. That is exactly the problem that Dataguise is solving.

We make it faster and easier for companies to find and manage personal data across the enterprise… so they can identify it, protect it appropriately, use and share it responsibly, and manage risk and compliance with full confidence in their knowledge of the personal data they hold.

The Dataguise privacy technology includes a set of automated dashboards that address many of the key issues underscored by the TikTok and Privacy Shield cases. These dashboards and corresponding reports are based on the data we discover and scan across repositories and data formats – from databases to documents.

  • Cross-border transfers – We provide a complete list of the cross-border transfers from each country of residence of the data subjects.
  • High-risk countries – Our dashboard allows companies to designate certain countries as high-risk for processing personal data and immediately shows what personal data is processed there.
  • User access analysis for privacy – Our customers can identify personal data and data subjects of interest and receive a list of the internal and third-party users of that data.
  • Third parties’ risk prioritization – We risk-rate our customers’ third parties according to the personal data they process.

If you would like to see our technology or dashboard reports in action, you can request a demo here: www.dataguise.com/Demo

About the author:

Sagi Leizerov, Ph.D., SVP Enterprise Privacy Solutions at Dataguise

Sagi is a Certified Information Privacy Professional (CIPP/US) with over 20 years of privacy and data governance experience. You can check out his full bio here.