IP Addresses & China – what’s all the fuss about?…TikTok over to you!

What's happened?

TikTok is usually associated with short catchy videos which tend to go viral. What it is less known for, is to be used by its Chinese parent company, ByteDance, to track journalists’ locations using information from the TikTok app – however, that is exactly the revelation that has come to light last year!

It has been reported by Forbes that ByteDance’s internal investigation discovered that ByteDance’s staff had improperly used a combination of IP addresses and user data, to seek to identify whether certain journalists which were involved in covering information about the company, were in the same location as ByteDance staff. The intention seemed to have been to determine the source of information leaks regarding ByteDance.

ByteDance have confirmed that this occurrence was due to a small number of individuals within the company misusing their authority, by accessing TikTok user data in an unauthorised manner. The revelations have led to the dismissal and resignation of a number of individuals within the company.

ByteDance proudly announced in 2021, when it surpassed the one billion active user mark, that “More than 1 billion people around the world now come to TikTok every month to be entertained as they learn, laugh, or discover something new” – They clearly were not envisaging the “discover something new” to encompass the above, which clearly gives rise to some very serious implications!

Implications

The revelations have brought more adverse publicity for TikTok, at a time where it has been desperately seeking to downplay concerns about the flow of personal information to China.

This heightened concern about personal data safeguards, particularly in the context of transfers of personal data to China, have led to President Joe Biden approving a ban at the end of last year, which prevents TikTok being used by federal government staff on devices which are owned by its agencies (with very limited exceptions for certain purposes such as law enforcement or national security). Furthermore, at a state level in the United States, bans have also been applied to the use of TikTok on state phones and computers, whilst also prohibiting the use of TikTok via University campus Wi-Fi (with such bans already being put into effect by the University of Oklahoma, Texas and others).   

ByteDance is clearly suffering from ongoing reputational damage as a result.  

Key points for organisations

The TikTok news is quite a timely reminder for organisations to check where personal data is being processed by their service providers (particularly in the context of Cloud Computing or SaaS Arrangements), as well as in respect of business applications (whether residing on their computer systems or mobile devices). As the previous large fines under the GDPR have shown, contractual assurances are clearly important, but an organisation cannot solely use them to demonstrate its due diligence (whether under the UK GDPR or EU GDPR, as applicable to the relevant organisation) – instead, organisations must additionally engage in proactive technical and business due diligence, by making appropriate enquiries before entering into contractual arrangements (and depending upon the nature of the personal data processing, this would usually tie into the undertaking of a Data Protection Impact Assessment at the respective time).

An important factor which is sometimes overlooked by organisations is any remote admin access to systems or databases. This is again an issue which has been raised as a concern in the context of TikTok, in respect of the degree of admin access which is controlled from China. Consequently, this should also be addressed as part of the due diligence and Data Protection Impact Assessment, as often organisation simply focus upon the service provider’s hosting facility geolocation, rather than also taking into account who else can access those servers, and from which locations and for which purposes. Overlooking such an important detail can be a high risk for organisations not only from a GDPR compliance perspective, but also from a cyber risk perspective.

Organisations need to also be mindful of how IP addresses or other unique identifiers are being created, processed and stored (in particular, from a data retention perspective). As is evident from the TikTok situation, such personal data can give rise to adverse privacy consequences if not properly managed.

Internal organisational measures also need to be clarified, particularly with regard to ‘sensitive’ personal data (such as location data, financial information, special categories or criminal offence personal data). Audits need to also be meaningfully undertaken. Again, one should note the ‘warnings’ arising from the TikTok ‘journalist tracking’ investigation, as it shows that internal audits alone may sometimes be insufficient to provide the requisite level of comfort with regard to the use of personal data.

Finally, the ‘fallout’ for organisations which do not deal with personal data safeguards adequately can be enormous, not only from a regulatory perspective, but also from a reputational perspective, as ByteDance can no doubt attest to.

How we can help

At Mills & Reeve we have a wealth of expertise in advising on global EU and UK GDPR compliance projects (with our specialist technology lawyers having expertise of advising some of the largest companies in the world in their sectors on global GDPR compliance arrangements), as well as on advising on IT and other technology procurement and supply arrangements (having advised on billions of pounds worth of technology arrangements).

Consequently, Mills & Reeve’s National IT, Data Protection and Cyber Law Team can assist your organisation with all of these and other legal requirements.

Please feel free to get in touch to arrange an initial consultation call.