In a summer dominated by the Schrems II decision invalidating the EU-US Privacy Shield, the news story that continues to dominate business headlines is Microsoft’s pursuit of acquiring TikTok’s US, Canada, Australia and New Zealand operations. While the subject of privacy may feel like a subject that has been done to death over the last few years, this is a little different. The interest that has been generated in the potential purchase of the app, and the US President’s high-profile intervention in the negotiations, further demonstrates the importance to governments of keeping their citizens’ data firmly within their own borders.
TikTok, a popular mobile app used for video streaming, also collects and stores basic user details, contact information, location information, IP address, behavioural habits and viewing history, and can even monitor users’ keystrokes. It is that the US government is concerned about, and argues that it wants to stop this being collected by a foreign private entity (TikTok/ByteDance), domiciled abroad, that may be able (or required by Chinese law) to pass this data to the Chinese authorities, thereby allowing them to ‘spy’ on American citizens.
This ‘data sovereignty’ is now a core consideration in assessing opportunities in global markets, and increasingly affects free trade and geopolitics. ‘Data sovereignty’ refers to the policy by which information flowing or having a connection to a certain state is governed solely by its laws and governance. Linked to this is the concept of ‘data localisation’, by which jurisdictions such as Russia, China, and more recently India have passed laws that require organisations (typically those such as Microsoft, Facebook and others) to retain their citizens’ data on servers located in such jurisdictions. The GDPR can arguably be considered a ‘data sovereignty’ rule in that it extends the law’s application to any companies (mostly online service providers) targeting EU citizens, regardless of where they are established, and sets strenuous ‘equivalence’ obligations before data can be sent or in some cases even accessed overseas.
However, in this case, the US administration has gone further in effectively forcing TikTok to divulge its operations on several Western states, by threatening to ban it completely in the US for allegedly having the ability to share users’ data with the Chinese authorities, in a manner similar to measures taken against Huawei. This policy therefore affects not just the storage and laws applicable to data collected by TikTok, but its entire operations within jurisdictions. Most notably, the US, Canada, Australia and New Zealand make up four of the ‘Five Eyes’ surveillance data sharing nations, so at a time where geopolitical tensions are strained, states are actioned to collectively keep citizens’ data within their boundaries.
For large multinational e-commerce, technology and platform operators, the variety of data sovereignty measures that states can enact therefore present an occupational hazard to targeting markets overseas, and will require at the least localised data centres, and at the most complex organisational structures or local entities to navigate these hazards. The free movement of data can no longer be taken for granted.