Advertisement
TikTok
OpinionComment
Chi Yin
Tonghui Zhu
Chi YinandTonghui Zhu

Opinion | Why China’s strong data privacy laws should reassure TikTok, ByteDance sceptics

  • ByteDance is registered in Beijing and thus subject to Chinese law, giving those whose data privacy it violates the potential for redress through Chinese courts
  • China’s data security laws are on a par with the world’s strongest, and prosecutors have shown an appetite for pursuing violators

Reading Time:3 minutes
Why you can trust SCMP
0
A man uses TikTok on his phone at a cafe in Hanoi, Vietnam, on April 6. Authorities in several countries, most notably the United States, have raised concerns about TikTok, its parent company ByteDance and its data privacy practices. Photo: EPA-EFE
Chi YinandTonghui Zhu
In the ongoing uproar over TikTok’s perceived threat to the United States, we have lost sight of the issue most relevant to ordinary users of the platform – the vulnerability of their personal data. Two cases of data misuse have made headlines so far: TikTok’s Chinese parent company, ByteDance, admitted to inappropriately obtaining the data of two reporters, one from BuzzFeed and one from the Financial Times.

Disappointingly, there has been no discussion of the lawsuits those reporters could potentially file against ByteDance. Such a discussion would illuminate the legal protections available to the reporters and the other estimated 1 billion TikTok users worldwide.

ByteDance is officially registered in Beijing. Therefore, its behaviour – including its behaviour in processing users’ personal information – is governed by Chinese law. Given ByteDance’s admission of wrongdoing in the case of the two reporters, the reporters could file a suit with the Haidian District People’s Court. They could ask that the company be held liable for violations of China’s Personal Information Protection Law (PIPL).

There are two reasons we think they would win their case. First, China’s legal system gives significant protection to personal data. In the past few years, China has passed a set of data security laws, including three fundamental pieces of legislation – the PIPL, the Cybersecurity Law and the Data Security Law – as well as about a dozen rules for implementation.

Data security experts both in and outside China note that the PIPL contains many concepts and definitions reminiscent of the European Union’s General Data Protection Regulation (GDPR), considered one of the world’s most stringent privacy and security laws.

In some ways, the PIPL is even stricter than the GDPR. For example, the GDPR provides “legitimate interest” as a legal basis for processing personal data without users’ consent. The PIPL does not. Only the PIPL requires users’ additional consent before processing sensitive data. The PIPL also goes further than the GDPR in regulating against automated decision-making.
Advertisement