Is TikTok a knock-knock joke?
TikTok. Who’s there? That is a question we all might want to ask. Who has access to that company’s data about subscribers around the world?
The Chinese Personal Information Protection Law of 2021 guarantees national data subjects privacy rights and outlaws the misuse of personal data. China has also implemented the Data Security Law that makes companies categorize data elements and limits cross-border data transfers. The country’s Cyberspace Administration reviews, and must approve, all external data transfers. Some commentators have likened these laws to the European Union’s GDPR. These analysts are nuts.
Article 33 of the Constitution of the Communist Party of China says, in part, “Primary-level Party organizations in nonpublic sector entities shall implement the Party's principles and policies.” The government often takes so-called Golden Shares in private companies that may include a board seat. As a result, Party representatives are easy to find in many of the country’s private and publicly traded companies.
Article 7 of China’s National Intelligence Law of 2017/18 states that, “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law,”
In short, relationships between Chinese companies and their government are very different from private sector company relationships with governments in the West.
So, TikTok. Who’s there? It’s the Chinese Communist Party. That may be a knockknock joke of sorts, but it’s not very funny.
Still, all around the world the state of data privacy faces challenges.
The hands of the United States government aren’t exactly pristine. American social media firms capture consumer data with abandon and as we have learned from the “Twitter Files,” US intelligence agencies have a somewhat handsy relationship with at least some of the country’s tech giants.
Of course, there is an important difference. The US is a constitutional republic and nation of laws. These are usually, although sometimes reluctantly, followed. China is an authoritarian state China blocks many American social media sites including Facebook and Twitter. Should the US do the same to TikTok? That is up to the citizenry and its elected representatives. Given the US government’s soiled fingers, it is hard to view this as a uniquely moral question. It is certainly a strategic one.
Why in the world should you care?
The TikTok kerfuffle shines a light on data privacy and the right of citizens to own not just their own information, but data about them. It also illuminates the constant struggle companies face in effectively securing personal data.
I managed two SaaS companies. One hosted on Amazon Web Services and the other on its own servers at a co-location facility. The latter environment was an eye opener.
That site, like most others, was under external attack every second of every day year round. There were no holidays, vacations, or sick days. Since the company had access to all security logs it was evident where the traffic came from. It was from everywhere, but most frequently from what appeared to be government-sponsored activity.
What should your company do?
First, constantly secure and review your data facilities. Where you control the infrastructure, be relentless in securing the perimeter. If you have an internal security organization it may seem like the “Department of Paranoia.” When in doubt, take their advice.
Second, make sure you have an internal data classification policy in place. Know what data you collect and ensure that you only capture what is legal and what you really need. Limit access. If you have unnecessary data, delete it.
Third, make sure you review and, when necessary, restrict what sites your employees may visit while on your network or using your computer equipment.
Fourth, consider making data privacy and security part of your company’s core value proposition. No company’s values include the phrase “we will relentlessly stalk you and capture your personal data wherever we can.” Make sure your practices match your values.
Fifth, if your company has a formal Environmental, Social, and Governance policy, make sure data sensitivity is part of it. This is one area that impacts both the S and G.
Sixth, and most importantly, if you advertise on TikTok make sure you do not transfer personal data in the process. It’s a wild, wild world out there. The recent focus on TikTok is a wake up call for all of us.
Rise and shine.
Bill Blundon