Big DataData ProtectionTechnology Law / Cyber Law

Impact of the Personal Data Protection Bill, 2019 on ByteDance’s Big Data Plans

Changing times have led to rapid advancements in information technology- whether it is new products being launched daily or finding new uses to existing developments. While claims suggest that these rapid advancements and any subsequent legislation drafted to govern them are attempts to bring about the same level of transparency as the previous wave of freedom of press and freedom of speech laws did[1], with the amount of information being available in public domain not being proportionate to the information available with institutions and agencies[2]– the most prominent example being that of ‘big data’.

As the name suggests, ‘big data’ refers to an extremely large amount of data; generated in every manner, leading to further usage to systematically extract and use the extracted information[3]. Data and information are no longer limited to presentations and spreadsheets prepared for official purposes; it can be extracted and manipulated from a simple search online to a post on a social media platform. Said information can be anything- from your preferred brand of pasta sauce to the type of music you listen to while cleaning your room. Though one would assume that the most common use of this extracted data would be to sell for the purpose of targeted advertising[4], the implications are far wider as is seen in the case of China. In the past couple of years, there has been an increase in agitation and backlash by the public against the nefarious collection of one’s personal data. Despite the drafting of probably some of the most comprehensive legislation to regulate data privacy[5], is does not come without sanctions given to the State to continue doing what they have been doing for years now.


Started in 2012, ByteDance Ltd. is a Chinese multinational internet company. The developer of the video-sharing social networking app called Douyin (also called TikTok) and Helo, its acquisition of in 2017 for almost USD 1 billion resulted in the formation of TikTok as we know it now.[6] With over 500 million monthly active users globally, TikTok has become a rage globally. The birthplace of several ‘challenges’- from the #dontrushchallenge[7] to several quirky dance routines[8]; the daily traffic on the app seems to be on a rise, particularly in light of nationwide lockdowns and quarantine directives due to the outbreak of COVID-19. The company also seems to be inching towards global domination and giving competition to its counterparts in Silicon Valley, with the appointment of former Disney+ executive Kevin Mayer as the CEO of TikTok and the COO of Bytedance.[9] But if everything appears so hunky-dory, what could possibly be the reason behind the criticisms the app repeatedly faces?

China, from various first-person accounts and news reports, does not use the internet for watching cat videos. The Chinese government has used apps such as WeChat for the very purpose of gathering information of its users and has been criticized for allowing the practice to continue with the backing of their legislation.[10] Among the companies that have been linked to this gross breach of privacy, ByteDance’s name was brought to the light after it reportedly suspended the TikTok account of an American teenager, who posted a video criticizing the human right abuse by the Chinese government in Xinjiang.[11] The company was even accused of unwarranted censorship at the time of the protests in Hong Kong, fighting for liberation from Chinese occupancy.[12] TikTok Inc. has not been alien to lawsuits for breach of privacy and protection. In 2019, the Federal Trade Commission of the United States of America filed a lawsuit against the company for data collection of minor users, which is a gross violation of the American Children’s Online Privacy Protection Act, 1998.[13] The move to hire Kevin Mayer as the CEO appeared to some experts as an appeasement tactic to show users that the sole control of the app’s functioning and its related tasks are not only with the Chinese government.[14]

However, these misdemeanors by ByteDance should be the least of our concerns when it comes to the subject of the article. In April 2019, ByteDance acquired Terark; a Chinese big data firm- an entity known to process and compress large volumes of data into a small space, which could potentially boost the usage and application of big data by 10 times.[15] The implication of such a firm is rather straightforward- ByteDance now possesses the medium and workforce to slowly and gradually increase the amount of data collected and compress the same for further use, a use which could very well be the misuse of the data collected and rehashed.


PDP Bill, 2019- Important Terminology

In recent times, the dialogue surrounding data privacy has gained prominence. With technological developments taking place at the speed of light, it becomes imperative to draft legislation with the flexibility to include said developments and also the rigidity to not lose ground on what the legislation concerns.

The successor of the 2018 Draft Personal Data Protection Bill 2018, the Personal Data Protection Bill of 2019 (hereinafter referred to as the ‘PDP Bill’) in its literal interpretation appears to offer exemptions and immunities to governmental agencies. The PDP Bill attempts to rectify the glaring errors in the previous drafts to the Bill, an example of which would be the mandatory data localization requirement of all data. Under Clause 34 of the PDP Bill, the requirement only concerns ‘sensitive personal data’ and ‘critical personal data’,[16] with the transfer for ‘sensitive personal data’ being approved by the Data Protection Authority for it is pursuant to a contract The concern arises with respect to ‘sensitive personal data’, which within its broad ambit covers everything ranging from financial data, health data, religious beliefs, political affiliations, sexual orientation and many more. In the event there exists a copy of the data in the country, cross-border transfer of data is permitted under the provisions of the PDP Bill. However, Clause 34 of the PDP Bill allows such transfer only if the transfer is in pursuance to the scheme approved by the Data Protection Authority.

Despite the well-intentioned attempt to remove any ambiguities, the attempt to foresee misuse of sensitive and critical personal data by cross-border transfer appears to be half-hearted. Though explicit consent of the data principal is required in order to initiate the said transfer, the PDP Bill lacks a mechanism to enforce the same.[17] At the same time, there is no parameter in the PDP Bill to judge the ‘adequate level of protection’ which the transferee country ought to meet in order to permit the cross-border transfer of data.[18] The General Data Protection Regulation (hereinafter referred to as ‘GDPR’), under Article 45, determines the ‘adequate level of protection’ on the basis of factors such as adherence to the rule of law, the existence of an independent data protection authority in the third country and being party to international covenants dealing with data privacy and protection.[19]

Implications of Bytedance entering India

Despite the previous claims by several individuals and entities that TikTok, working hand in hand with ByteDance, has been assisting their parent company in misuse of stored data, the subsidiary claims that they are not an accomplice to said malpractice on account of operation out of Singapore, where their data center has been established.[20] What is important to note is that under the light of the efforts by the Government of India to promote data localization, ByteDance has announced plans to establish data centers in India.[21]

Our country’s aversion to all things China may be something we try to support but we fail to realize the silent infiltration that has been taking place for years. As of 2018, 44 of the top 100 apps listed on Google Play Store in India were Chinese[22]- with apps like PUBG, TikTok, and Club Factory being some of the most popular ones even to date. Though we are sitting behind a wall in the form of the PDP Bill now, the present interpretation the Bill offers makes the wall look more like a house of cards. Even though the sensitive and critical personal data would be stored in the data center located in the country and the processing of sensitive personal data requiring consent, the exemptions offered to governmental agencies to access the same in the name of ‘sovereignty and integrity of India, the security of the State, friendly relations with foreign states, and public order[23] is even more worrisome than a foreign sovereign having access to such data.

The most pertinent concern regarding the PDP Bill is one which is common to most new legislation which governs technological developments- will the provisions of the Bill be able to effectively regulate technological developments like Big Data?


We cannot afford to look at ByteDance’s ever-growing popularity in isolation. Every morning, we wake up to the news of some new technological development, which despite its good intentions only appears to do more harm than good. The misuse of and by big data is right in our faces, yet we continue to be impervious to the same. The same can be said about the PDP Bill- the content of which tilts more in favor of governmental agencies and the State. It only rightfully appears that the users are caught between this tussle, something which should be resolved as soon as possible. 

[1] Roger Taylor and Tim Kelsey, Transparency and the Open Society: Practical Lessons for Effective Policy 114-116 (2016).

[2] Ibid.

[3] Richard Cumbley and Peter Church, Is “Big Data” Creepy?, 29 CLSR 601, 602-604 (discussing the meaning of big data and its subsequent misuse).

[4] Ibid.

[5] Michael Gentle, China’s Data Privacy Laws vs GDPR, Medium, Oct 11, 2018,

[6] Kane Wu, Adam Jordan and Shalini Nagrajan, China’s ByteDance buying lip-sync app for up to $1 Billion, Reuters, Nov. 10, 2017,

[7] Megha Mandavia, Indians willing to act quirky go viral on TikTok, Economic Times, Jun. 14, 2019,

[8] Ibid.

[9] Anthony Ha, Disney streaming exec Kevin Mayer becomes TikTok’s new CEO, Tech Crunch, May 19, 2020,,Mayer%20said%20in%20a%20statement..

[10] Trisha Ray, Does the Data Protection Bill solve the Dilemma posed by Dominance of ‘Foreign’ Apps?, The Wire, Dec. 24, 2019,

[11] Anna Fifield, TikTok’s owner is helping China’s campaign of repression in Xinjiang, report finds, The Washington Post, Nov. 28, 2019,

[12] Johanna Li, Is TikTok Safe? Concerns About Data, Privacy and Censorship Abound, Inside Edition, May 13, 2020,

[13] Chavie Lieber, TikTok has been illegally collecting children’s data, Vox, Feb. 28, 2019,

[14] Supra at 7.

[15] SC Yeung, ByteDance eyes big data push with Terark acquisition, Ejinsight, Apr. 30, 2019,

[16] K. Satish Kumar, India in 2020: Relief in sight from data protection bill?, India Business Law Journal, Jan. 31, 2020,

[17] Ibid.

[18] Kamal Taneja and Gulshan Rai, Data Protection Bill is vague and intrusive, Business Line, Mar. 15, 2020,

[19] Article 45, Regulation (EU) 2016/679 of the European Union, retrieved from

[20] TikTok is safe to use; stores user data securely: TikTok India Head, The Indian Express, May 13, 2020,

[21] Prasid Banerjee, TikTok owner to set up data centres in India, LiveMint, Jul 22, 2019,

[22] Shadma Shaikh, The Chinese Takeover of the Indian App Ecosystem, FactorDaily,Jan. 2, 2019,

[23] Supra at 14.


Related Articles

Leave a Reply

Check Also