tashatuvango - stock.adobe.com

The countdown is on for TikTok after Schrems II

Given the US’ threatened actions against TikTok and the outcome of Schrems II, it is clear that the spotlight is now firmly on international data transfers

President Trump’s recent comments about seeking to ban the popular video sharing mobile app, TikTok, have drawn immediate international attention.

The focus on the potential fallout for the app has continued following the US Secretary of State, Mike Pompeo, commenting on Sunday 2 August 2020 that TikTok, along with other software and apps with connections to China, may have action taken against them in the coming days, following Trump’s initial remarks.

The concern which has been expressed by the US has related to national security concerns. In particular, worries about the data which is being captured and potentially being accessed by the Chinese government, even though TikTok has denied any such access is currently taking place. Yet, even the theoretical risk of such access by the Chinese government has been enough to start prompting action by the US.

Those in Europe may be drawing parallels between the recent US announcements and what has taken place following the ruling on 16 July 2020, from Europe’s highest Court, the Court of Justice of the European Union (EU).

That European ruling, referred to in the media as Schrems II, dealt a ‘deathblow’ to transfers of personal data to the US pursuant to the Privacy Shield mechanism. However, the ruling went much further, sending General Data Protection Regulation (GDPR) shockwaves across all international personal data transfers from within the EU, whether to the US, China, India or elsewhere.

The Privacy Shield was previously a valid transfer mechanism for making GDPR-compliant international transfers. However, its demise was due to concerns about a lack of safeguards for personal data transferred from the European Union, against the backdrop of criticism about US surveillance and intervention measures.

The European ruling made it clear that this therefore affected other personal data transfers as well, whether made pursuant to the Privacy Shield or other appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules – which are the common GDPR-approved mechanisms used by organisations for international personal data transfers.  

This has led to commentary that this is perhaps going to result in a European-centric approach to data storage, hosting and access. However, the comments from the US over the past weekend about TikTok suggest that the US is now also potentially looking at a more US-centric approach to data retention and access. This is an interesting state of affairs, considering that European-US personal data transfers are currently under scrutiny. 

Some commentators had expressed concerns following Schrems II that it was going to be difficult to assess foreign laws in respect of data protection and government surveillance activities.

From recent events however – including from the US actions against Huawei, threatened actions against TikTok, and the outcome of Schrems II – it is clear that the spotlight is now firmly on international data transfers – in particular, on safeguards against foreign government interference with individuals’ privacy and rights in respect of their data.

Organisations will not be able to just sit back and wait for the fallout. They will need to take proactive action now against this changing landscape. This includes assessing their current international data flows, particularly intra-group transfers, as well as the use of cloud service providers and offshore support centres.

Europe’s data protection regulators have made it clear that a laissez-faire approach will not be tolerated. Considering the massive fines and adverse publicity associated with GDPR enforcement action and potential claims from individuals, it seems that a flurry of activity by organisations will be necessary to avoid personal data flows also going into lockdown.  

Read more about data transfers

Read more on Privacy and data protection