Introduction
In early 2023, a Twitter spokesperson for TikTok, Booke Oberwetter, called the Biden administration’s ban of TikTok from all devices used by US federal employees ‘little more than political drama’[1].
Fast forwarding to today, it appears the US v TikTok saga is fitting of this characterization. From the Supreme Court of the United States ruling that the app would be banned starting from the 19th of January 2025[2] to the 75-day extension that has since been granted by President Trump, a lot is unclear about ‘TrumpTok’s’ future in the US. This is no less improved by the fact that the application owned by Chinese internet company ByteDance is used by 170 million across the US.
Politics and Trump aside, what are the data protection concerns with TikTok which continue to ring true for researchers and governments worldwide? How is UK TikTok different from US TikTok from a privacy policy perspective? Might the UK ever follow in the US’s footsteps with a nationwide ban?
Data Protection Concerns with TikTok
TikTok is by no means the only social media platform that poses data protection concerns. But given its increasing popularity and notoriety in recent news, this article will look at these concerns through the lens of TikTok.
Before finding a large audience on the app during the recent presidential election and pivoting to ‘SAVE TIKTOK’ (a move involving the ordering of a legally questionable 75-day extension in a bid to bring it within 50% ownership of the US) President Trump’s words in 2020 were:
“TikTok automatically captures vast swaths of information from its users, including Internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.”
Whilst Trump’s concerns were largely focused on national security and are characteristically vague, his remark on ‘vast swaths of information’ and allusions to disproportionate tracking as a useful starting point for the discussion on the data protection concerns posed by TikTok. Indeed, we’ve seen the EU, the US, the UK and Canada all impose bans on using the app on government devices in light of the concerns it poses to users’ privacy.[3]
UK TikTok versus US TikTok
TikTok users in the UK are provided with a privacy policy that aims to comply with the UK General Data Protection Regulation and the Data Protection Act of 2018. TikTok users in the US are provided with a privacy policy that aims to comply with laws including the California Consumer Privacy Act for California residents.
When questioning the differences from a privacy policy perspective between US TikTok and UK TikTok (‘UK TikTok’ being the version available to UK users and vice versa), the information that TikTok automatically collects is an interesting category to look into. It not only constitutes a nod to ‘vast swaths of information’, but is also information you didn’t actively provide and which you might therefore not necessarily know is being collected.
Difference in granularity
Reading the two privacy policies, it is clear that the one for UK users is more specific, a fact not surprising when considering it falls under a stricter data protection regime: Article 14 UK GDPR mandates that controllers who process personal information without having obtained it directly from the data subjects themselves must provide very clear transparency material.
Demonstrating this difference, the UK TikTok privacy policy states specific examples of personal data collected about the way the user uses and engages with the platform, namely, ‘how you interact with content and ads’, ‘the duration and frequency of your use’, ‘your engagement with other users’ and your ‘search history’.
The US privacy policy’s counterpart paragraph instead just states that it collects ‘information about the way you use the platform and any other user content that you generate or upload to the platform’. This would likely include search history, for example, but US data protection laws determine US users don’t need to know this level of detail.
Difference in device information collected
Roughly speaking, the US privacy policy and the UK privacy policy read in a way that suggests that an equal amount of information – and type of information – is collected from both UK and US users. An exception to this, interestingly, lies in the device information collected.
The UK privacy policy states that TikTok collects ‘device model’, ‘operating system’, ‘keystroke patterns or rhythms’, ‘IP address’, ‘system language’ and ‘device settings’. The US privacy policy on the other hand states that TikTok collects ‘IP address’, ‘user agent’, ‘mobile carrier’, ‘time zone settings’, ‘identifiers for advertising purposes’, ‘model of device’, ‘the device system’, ‘network type’, ‘device IDs’, ‘screen resolution and operating system’, ‘app and file names and types’, ‘keystroke patterns or rhythms’, ‘battery state’, ‘audio settings’ and ‘connected audio devices’.
For a privacy policy that is not legally required to be as granular as the UK privacy policy, we can assume that the US privacy policy is only listing a minimal amount here.
Inferred information
Another notable difference is that only the UK privacy policy talks of the inferred information about users’ attributes and interests that TikTok collects, which includes inferred age-range and gender. Yet as explained above about the less-strict transparency requirements, the fact that the US privacy policy is silent on this does not mean it doesn’t also collect the same.
Storage location
Drawing a close to our very brief comparison between UK TikTok and US TikTok from a privacy policy perspective, we see that a big difference lies in the storage arrangement, a fact that primarily fuels the national security concerns expressed by Trump in 2020 and maintained in the recent US Supreme Court Ruling.[4]
On the one hand, TikTok stores data it collects from UK users in Malaysia, Singapore and the United States. On the other hand, while TikTok maintains that since July 2022 it has stored data collected from US users in the United States, it has come to light that it stores some user data in China.[5]
Storage location is an important consideration as it feeds into access: if data is stored in a country that can legally require access to data be granted to the government, storing data in that country poses an increased risk of access by unauthorised persons for unauthorised purposes. For the US, this is the risk of US user data being accessed in China by the Chinese Communist Party.[6]
This same problem could be said to exist for the UK, as its data is stored in the US – a country that has its own laws on government access to data.[7] Yet the US accessing UK personal data is not perceived to be of comparable national security threat level to the UK as China accessing US personal data to the US. This could ultimately explain why a nationwide ban of TikTok is likely not of interest to the UK.
TikTok’s processing of UK user data isn’t perfect
There are certainly recognised data protection concerns associated with TikTok’s processing of personal data of UK users. In 2023 the app was both banned from government devices over security concerns[8] and fined £12.7 million by the Information Commissioner’s Office for misusing children’s personal data.[9]
This also does not speak for the plausible concerns that exist that haven’t been subject to a judicial process or regulatory fine yet. For example, the principle of data minimisation, a cornerstone of the UK GDPR, mandates that no more personal data than is absolutely necessary for the purpose should be processed. It is very arguable that TikTok collects too much personal data for the purposes it seeks to accomplish, evidenced through reading the UK version of TikTok’s privacy policy.
So, while there might not be any immediate national security concerns associated with the ‘vast swaths of information’ collected by TikTok in the UK, this does not mean the UK version of the app doesn’t pose any important data protection concerns. It does however mean that these might not be taken as seriously in the government’s agenda.
A spokesperson for the government has confirmed there are currently no plans for a nationwide ban, stating the government engages with all major social media companies to understand their plans for ensuring the security of UK data and to ensure they meet the high data protection and cyber security standards expected. UK government minister Darren Jones has confirmed this, stating there were no plans to extend the ban on the use of TikTok on government devices ‘to consumers using the app to share “cats or dancing videos”’. He continued: ‘We won’t be following the same path as the Americans unless or until… there is a threat that we are concerned about in the British interest, and then of course we will keep it under review.’[10]
Conclusion
TikTok poses data protection concerns worldwide, a fact that has seen the UK, the EU, the US and Canda ban it on governmental devices. The US is currently further scrutinizing these data protection concerns in lights of its relationship with China.
While a stronger data protection regime applies in the UK than in the US, this does not mean UK TikTok is any less intrusive to users’ privacy than US TikTok, evident following even the briefest of comparisons between the UK and US privacy policies in terms of the amount of data indirectly collected from users.
But the UK’s seemingly softer approach to the app might be explained by the storage arrangement it has for user data. The UK government and ICO might still be finding their feet with regards to holding big organizations like TikTok to account under data protection law, and national security concerns might make for stronger action, but this does not mean that important data protection concerns should not to be troubled with.
It must be said that the UK government does recognise that TikTok is not perfect, as shown by its ban on governmental devices and the recent fine for its treatment of children’s data. But it is arguably turning a blind eye to other concerns, like TikTok’s respect for the principle of data minimisation.
It remains to be seen whether the UK, while watching the political drama unfold over in the US, will continue to scrutinize TikTok’s processing of UK personal data in a way that reaches beyond obvious sensitive matters relating to government and children.
[1] https://edition.cnn.com/2023/02/28/tech/tiktok-eu-ban-intl-hnk/index.html.
[2] https://www.supremecourt.gov/opinions/24pdf/24-656_ca7d.pdf.
[3] https://www.informationgovernanceservices.com/tiktok-goes-by-the-clock-bytedances-app-at-risk-globally/.
[4] https://www.supremecourt.gov/opinions/24pdf/24-656_ca7d.pdf.
[5] https://www.forbes.com/sites/alexandralevine/2023/06/21/tiktok-confirms-data-china-bytedance-security-cfius/.
[6] Laws allowing this in China include the National Intelligence Law of 2017. See also: https://www.cisecurity.org/insights/blog/the-chinese-communist-party-ccp-a-quest-for-data-control.
[7] For example, FISA 702.
[8] https://www.gov.uk/government/news/tiktok-banned-on-uk-government-devices-as-part-of-wider-app-review.
[9] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/ico-fines-tiktok-127-million-for-misusing-children-s-data/.
