What TikTok Tells Us About Data Regulations and About the Future of Cloud

Many people are surprised by the brutality of Donald Trump, and are offended to see TikTok either banned or bought by Microsoft. The Chinese are shouting robbery, and we can understand them. If the United States of America did the same thing with a company from my country, I would certainly have the same reaction. However, looking at this subject from a purely legal point of view and in the light of recent events, one might be tempted to believe that these fears are justified.

Data Law in China

As everyone now knows, TikTok is the "China-free" version of an application for China called Douyin. Douyin is operated from Chinese soil, for the Chinese public, and is therefore fully subject to Chinese data law. This law stipulates that individuals have a right to privacy and a right to their data, except two things. 

The first is respect for a number of things under Chinese law. If you insult the Chinese Communist Party, in China, from a Chinese application, you can be sure that your account will be suspended, in addition to the legal risks. All in all, this is a principle found in western jurisdictions, even if it relates more to racist remarks and calls for violence. Rather than the expression of your possible hatred towards the head of your state, for example. 

But the second thing that modulates this right is much more problematic because it stipulates that the "competent authorities" all have a right of access to your data. In China, your life is private, but not for the Communist Party. We, therefore, deduce that any data stored in China can end up in any office of the Chinese Communist Party.

A Paradigm Shift in Data Privacy Law

So far, this has not been a concern for TikTok, as the data is stored in Singapore and the USA for Western users and Hong Kong users.

But a loophole has opened, following the passage of Hong Kong's National Security Act on 30 June 2020. This law, which, among other things, gives impunity to Chinese intelligence agents on Hong Kong soil. The fear was therefore born that data stored in Hong Kong could end up in the hands of the Chinese communist authorities. We have seen TikTok leave Hong Kong soil, but also recently the South Korean company Naver, which moved its data from Hong Kong to Singapore (https://www.zdnet.com/article/naver-transfers-hong-kong-backup-data-to-singapore/).

By the way, (https://www.reuters.com/article/us-tiktok-hong-kong-exclusive/exclusive-tiktok-says-it-will-exit-hong-kong-market-within-days-idUSKBN2480AD), Douyin was already serving Hong Kong, so Hong Kong residents now know which application to turn to.

So we can tell ourselves that everything is going well anyway. TikTok data is no longer in Hong Kong, and is still in Singapore and the USA.

A Legal Bridge Between Singapore and China?

But that's where there's a "but". The data legislation in Singapore, called PDPA, contains a need for clarification, to be modest. This legislation, which is quite similar to the European GDPR, stipulates that data cannot leave Singapore unless the destination country has similar legislation. And guess who does? You guessed it, Hong Kong, with the PDPO. From there to say that the data can transit from Singapore to Hong Kong and then to China... To be honest, it's quite complicated to prove that this "legal bridge" takes place. But there are a few beams of suspicion: 

• The first one is the close collaboration between Singapore and Hong Kong to harmonize their respective rights, among others on the Data Breach issue. This initiative came quite a few times about serious Data Breach happening in these two cities. Why harmonise laws on a new subject to be dealt with in data laws, which were already quite harmonised in passing, if not to facilitate the legal possibility to transfer data freely?

• The second is this seemingly anecdotal legal document. It is a document that a law firm makes its clients sign with whom it contracts, on the subject of compliance with the PDPA and PDPO. This firm operates in many countries, including Singapore and Hong Kong, and, without forcing an over-interpretation of this document, shows that this firm considers PDPA and PDPO to be similar.

• Finally, the third document is a document issued by a group of independent law firms, which compares on page three the jurisdictions of a number of countries, and it is clear that the only difference concerns the consideration of sensitive information. This does nothing more than limit the transfer of data from Hong Kong to Singapore, but not the other way around.

The TikTok Case, a Geopolitical Chess Game

And so we see Donald Trump wanting TikTok to become American, and that the application serves the USA, Canada, Australia, and New Zealand. Yes, New Zealand sheep won't be hacked by the Chinese! Unless...Oh, yeah, right. These are all countries that are both members of APEC, but also give a little help to American intelligence, and for three of the countries are members of the CBPR, an emanation of APEC to harmonize the law on data. Hong Kong and China are absent, but Singapore is present. Would the United States seek to prevent a legal bridge from being built between Singapore and China? Let us not forget that Singapore is a military ally of the United States, but also a commercial ally of China. Singapore can be considered China's second most important port. It is highly doubtful that Singapore will not follow the TikTok case closely.

What Are the Consequences for The Cloud Market and For the Development of Cloud Applications?

It doesn't seem very reasonable to ignore this case when it comes to contracting with a cloud provider or delivering a cloud application born worldwide.

On the question of China, the answer is easily found. Your application will work on Chinese soil, with a Chinese or American cloud provider (AWS or Azure, but not GCP).

Concerning APEC member countries, the situation seems unclear. But the simplest thing would certainly be to operate as much as possible with Western players. When comparing Azure, AWS, and GCP, one would be tempted to be questioning about the situation in Azure. Indeed, Azure only operates in the region via Singapore and Hong Kong (and China), while GCP and AWS operate from a wider variety of locations. In any case, AWS is the only one that can allow you to operate for China, the West, but also South-East Asia, all the while avoiding Donald Trump to intervene in your business. It is therefore tempting to prefer AWS.

And for the anecdote, TikTok uses GCP, and not Azure. Knowing that TikTok's data is enough to fascinate Google's business model. Is this a mistake by Donald Trump? Would Google have some reason to blame itself? We won't take the liberty of not guessing too much, but it's something to note.