US TikTok ban sparks global privacy and data protection debate: What can Australians learn?

In recent months, the privacy and data protection debate over TikTok’s presence in the United States (US) has intensified, with a bipartisan Bill passed in the US requiring TikTok to divest from Chinese parent company “ByteDance” by 19 January 2025. Non-compliance would see TikTok cut off from the US app stores and hosting services, due to concerns around data protection and national security.

In a tick for tack exchange, TikTok ‘went dark’ for users in the United States prior to the January 19 deadline but was restored approximately 14 hours later after receiving alleged ‘reassurance’ from incoming President Donald Trump.

The TikTok tug-of-war has brought on a global privacy and data protection debate, with lessons for businesses operating in Australia. With individuals’ self-concern at an all-time high, Macpherson Kelley’s Privacy Lawyers discuss the legalities surrounding the TikTok saga including key Privacy law takeaways for Australian businesses.

What happened to TikTok in the United States?

It has been widely argued that TikTok could be used by the Chinese government to gather sensitive data on users. The crux of the issue lies with China’s data privacy laws, which could compel Chinese companies to share data with the government. These concerns have led to heightened global scrutiny, not just of TikTok, but of other apps with ties to China.

Ultimately, the concerns led to calls for a ban, or at least strict regulations, aimed at limiting TikTok’s operations in the US. Importantly, the divest or ban law does not violate the right to freedom of speech in the US. The courts agreed with the US government that the platform could be used by China to collect a vast amount of sensitive information on Americans.

TikTok voluntarily removed itself from the US market due to non-compliance with divesting from ByteDance, with the US President, Donald Trump, committing to work with TikTok to reinstate its use within the US, with the aim to have 50% ownership position in a joint venture to keep TikTok in good hands. The shutdown did not affect other countries.

Global data privacy concerns

The US government’s security concerns highlight the growing concern over data privacy and the global disparity in data protection laws. In the US, there is no unified federal data protection law. Instead, data laws in the US vary by State. This fragmented approach often leaves gaps in safeguarding personal data, especially when it comes to foreign owned platforms.

Platforms such as TikTok might fail or, at least, fail to thrive with a ban in the US, as it would lose approximately 170 million of its users. Users in the US are particularly valuable in terms of being top contributors as creators, advertisers, and direct spending in the TikTok shop.

Whilst it is thought that allied countries will follow in a similar fashion, countries such as the United Kingdom have indicated that they do not intend to follow the same path as the US. The UK stipulated that it would not follow suit unless or until there is a threat that causes concern to British interest, at which time it would be under review. 

Data collection for Australian users of social media platforms

In contrast to the US, Australia has a more robust national framework for data protection, though still not as stringent as the European Union’s (EU’s) Global Data Protection Regulation (GDPR). Australia’s Privacy Act 1988 (Cth) (the Privacy Act) regulates how personal data is collected, stored and used by businesses, including foreign companies operating within the country or that collect personal information from Australian residents.

The Privacy Act mandates that companies obtain consent before collecting personal data and that they disclose how the data will be used.  When personal data is moved, stored and accessed overseas further obligations arise and disclosures are required.  Australia also has the Notifiable Data Breaches scheme, which requires businesses to notify individuals when their data has been compromised.

What are the data protection  and privacy requirements for big social media platforms in Australia?

Big social network platforms such as Facebook, Instagram, Snapchat, TikTok and LinkedIn, are required to comply with the Privacy Act given they have a turnover of greater than $3 million. These platforms allow Australian users to share personal information in comments, messages, photos and videos. The concern to users is that even if they use privacy settings, the user may not have complete control over who sees or uses the personal information that has been shared.

For example, a friend, follower or connection may republish a person’s personal information to a wider audience than the original user intended. Information shared online may be permanently recorded. Even when the user deactivates its account, the information may remain in archived or old versions of the website, in re-posts or in comments that have been made on other users’ pages. Users should always read the privacy policy of any social network it intends to use and choose the privacy settings that best suit the user’s needs.

Social media users can ask for removal of personal information

Under the Privacy Act, an Australian user should be able to request personal information be removed from the social network platform due to privacy reasons. The user will also be able to go direct to the platform to raise a privacy complaint, and if not satisfied, may raise a complaint with the Office of the Australian Information Commissioner (OAIC).

How does TikTok operate under stricter privacy laws?

The most comprehensive data protection laws are those of the EU under the GDPR, which impose strict obligations on companies, including TikTok, to protect user data and ensure transparency. While TikTok operates in the EU, it must adhere to these robust privacy regulations, providing a stronger layer of protection for European users.

One key provision of the (Australian) Privacy Act is the requirement for businesses to obtain explicit consent from individuals before collecting their personal data. This includes clear disclosures about how the data will be used and stored. Social media platforms must adhere to these principles, making privacy notices and user agreements transparent and easily accessible.

Data protection and privacy law challenges in Australia

Australia’s privacy laws face challenges in the rapidly evolving digital landscape. Social network platforms often collect vast amounts of user data for targeted advertising and other business practices, raising concerns about the extent of data sharing and third party access. Despite these concerns Australia’s approach is generally less strict than the EU’s GDPR which imposes heavier penalties and broader requirements for data protection.

In response to these challenges, the Australian government has been exploring reforms to enhance privacy protections, including proposals to update the Privacy Act and align it more closely with the GDPR. As social network platforms continue to grow in influence and data collection practices evolve, compliance with Australian privacy laws will remain a critical issue for companies operating in the country.

Obligations for social media platforms across different countries 

Globally, the landscape of data protection laws is uneven. The EU has set a high standard with the GDPR, requiring transparency, user consent, and robust safeguards for personal data. Meanwhile, the US relied on a fragmented system that varies by State, and countries like Australia have a more balanced but still evolving approach to data protection.

Other countries have varying levels of regulation. In countries like India, Afghanistan and Pakistan, TikTok has already been banned over similar concerns about data security, but in places such as Brazil, France, Norway, and Austria, the app operates with certain constraints to ensure compliance with local privacy laws.

For TikTok, compliance with these varying laws presents a complex challenge. As governments worldwide examine the app’s data practices, the growing trend of heightened scrutiny on data privacy highlights the need for clear, consistent, global standards in the digital age.

Why privacy law compliance should be prioritised in Australia

Under the Privacy Act, penalties for non-compliance can be significant, particularly for entities that fail to meet their obligations regarding the handling and protection of personal data. The specific penalties depend on the nature of the violation and the size of the entity involved.

As of recent amendments and reforms, the penalties for non-compliance with the Privacy Act are detailed below.

For serious or repeated breaches of privacy:

• The maximum penalty is $50 million, or if the penalty is not easy to calculate, 30% of the company’s adjusted turnover for the relevant period, or 3 times the value of any benefit obtained through the breach (for companies)
• Individuals found responsible for serious breaches can be fined up to $2.5 million.

For breaches related to notifiable data breaches (under the notifiable data breach scheme):

• If an organisation fails to notify the OAIC or affected individuals within 30 days of a notifiable breach, the penalties can be up to $2.22 million for businesses

General breaches (failure to comply with the Australian Privacy Principles (APPs)):

• The penalties for failing to comply with the APPs, such as not taking reasonable steps to protect personal data or failing to provide users with access to their data upon request, can also result in fines and sanctions by the OAIC, which may include enforcement actions, public reprimands, and other regulatory measures.

These penalties are designed to ensure that organisations take their privacy obligations seriously and that individual’s personal data is properly protected. If a company such as TikTok were found in breach of APPs, it could face the full force of these penalties, depending on the severity of the reach.

With TikTok having a large global footprint, the penalties under the Privacy Act could amount to a substantial financial burden, particularly if it faces violations related to serious or repeated privacy breaches. The use of turnover as a penalty metric makes the stakes even higher for tech giants, as the fines can be directly proportional to their financial success in the country.

As data privacy concerns continue to grow, these penalties are likely to play an increasingly important role in shaping how companies like TikTok handle user data in compliance with Australian laws. While TikTok’s exact turnover in Australia is not publicly available, estimates suggest that it generates millions of dollars in revenue from its Australian market, primarily through targeted advertising and partnerships. For reference, TikTok’s estimated revenue in 2023 in the US was estimated to be $16.1 billion in revenue.

What does this mean?

TikTok’s operations are particularly sensitive in the context of data privacy, due to concerns over its Chinese ownership and the potential for Chinese authorities to access Australian users’ data. Lack of public trust has potentially singled out TikTok for misusing data. Using TikTok as a broader example, there is an argument to be made for compliance driving the public’s trust, support and reputation of a business.

TikTok’s challenges emphasise the importance of international compliance, as businesses must adhere to both local and global privacy standards to avoid hefty penalties and reputational damage. In summary, TikTok’s example highlights the need for proactive privacy measures, transparency, and accountability in data handling.

Businesses at a minimum, should:

1. Review the personal information collected
   Businesses collect a lot of personal information about the customers and, often, end-users or beneficiaries of their products and services.  However, businesses do not always remember what is collected and why, nor do they appreciate the implications if the person is based in Australia or overseas.  Until a business knows this, it cannot hope to comply with Australian law, let alone relevant overseas privacy laws.
2. Update your privacy policy and notifications
   This ensures explicit consent from users before collecting personal data, clearly explaining how it will be used. Businesses must be transparent with users about their data practices and regularly audit their data security measures to identify and address risks.
3. Draft and implement a data breach response plan
   This includes notifying affected individuals and regulators within the required timeframes under the Notifiable Data Breaches scheme.

Please do not hesitate to contact our privacy lawyers if you would like to discuss your business’ privacy compliance further.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.