Facing a complicated transaction in the U.S., video-sharing platform TikTok Inc. may be hoping to find a simpler solution to regulatory scrutiny in Europe.
TikTok was granted an injunction Sept. 27 against the Trump administration's move to ban the app. Meanwhile, the company is negotiating a sale to Oracle Corp. and Walmart Inc. to resolve U.S. national security concerns.
In Europe, the Beijing Byte Dance Telecommunications Co. Ltd.-owned company is facing investigations of a different nature. Data watchdogs in France, Italy, Holland, Denmark and the U.K. are investigating the social media app's compliance with the bloc's stringent data protection rules, known as the General Data Protection Regulation, or GDPR.
These probes may be less partisan and more predictable, but they could still be costly to solve, experts said.
If TikTok is deemed to have fallen foul of the GDPR, it could be served numerous fines of €20 million or 4% of annual global turnover, whichever is higher. Judgments are likely to take into account that companies handling children's information have extra responsibilities to keep that data safe under GDPR.
National authorities are free to conduct their respective investigations until TikTok has a main data processing establishment in the EU, according to the European Data Protection Board, or EDPB, a grouping of EU data regulators that monitor enforcement of the GDPR. Only then will the pending reviews switch to the lead supervisory power in that jurisdiction under a GDPR mechanism known as 'one-stop shop.'
"In this scenario, every pending proceeding (necessarily non-cooperation proceeding because of the initial lack of main establishment in the European Economic Area) will be transferred to the supervisory authority of the state in which the main establishment is located," a spokesperson for the EDPB said.
TikTok's exposure to multiple security probes poses a "logistical nightmare" for the firm and the prospective owners of its global operations, according to Ross McKenzie, a partner at U.K.-based law firm Addleshaw Goddard, who advises clients on GDPR compliance. Until it receives one-stop shop approval, the app is exposed to regulatory action across the entire EU, he said.
"If [TikTok] is processing data in one territory, an action can only be raised by one regulator, rather than 27 regulators across every member state," McKenzie said.
In order to ease regulatory scrutiny, TikTok is creating a €420 million data center in Ireland, designed to house EU and U.K. user information currently stored on servers in the U.S. and Singapore. However, the new facility may not be its main establishment for data processing. TikTok was reportedly considering opening an international headquarters in London, but is yet to announce any firm plans.
The Danish data watchdog told S&P Global Market Intelligence that it expects to end its investigation later this year. In the vein of the other probes, its review focuses on issues of transparency around how TikTok processes user data; users' data access rights; transfers of user data outside the EU; and steps taken to ensure adequate protections of data belonging to minors, which make up a significant chunk of the app's user base.
The Danish data regulator said it will adhere to the rules of the GDPR, and the guidelines from the EDPB, "if and when TikTok should be considered as having a main establishment within the EU."
TikTok, which allows users to create and share short video clips often accompanied by pop music, boasts 200 million users split about equally across the U.S. and Europe.
The EDPB earlier this year set up a TikTok task force to help coordinate potential actions taken against the company in response to a letter from EU lawmaker Moritz Körner. Europe does not need to ban the app if it complies with EU law, Körner told S&P Global Market Intelligence, adding that the bloc must be "more active in enforcing GDPR standards."
Transparency could become an outstanding concern for the app and other social networks as the EU looks to define itself as a "safe haven" for data at a time when economic recovery is being linked with the digital transition globally, McKenzie said.
Facebook Inc. recently threatened to pull out of Europe after an EU court ruling struck down the mechanism safeguarding transatlantic data flows, known as the Privacy Shield, over U.S. surveillance concerns. With European regulators scrutinizing TikTok's transfer of information overseas, it could be facing similar hurdles.
"The data center in Europe will not solve all of TikTok's issues," McKenzie said. "There will be question marks over whether the other TikTok operations globally will still be able to access that data."