Five Takeaways from the TikTok Deal

TikTok announced this past week the establishment of a new joint venture that will acquire the company’s U.S. assets, bringing an end to a multi-year saga about the fate of the popular social media platform. Not only does the resolution clarify the immediate legal status for TikTok, but it also offers insight into how policymakers might handle other Chinese apps.

Here are five key takeaways.

1. China’s Cyber Laws Still Put Foreign Data At Risk

The primary concern among U.S. lawmakers was that the Chinese Communist Party (CCP) could use TikTok to collect sensitive personal data about Americans, manipulate users through the content shown on the platform, or both. While there is no evidence that TikTok ever engaged in this behavior, the potential for a Chinese company to be coerced into this type of action by the CCP remains. Various Chinese laws, including China’s Personal Information Protection Law, Data Security Law, and Cybersecurity Law, allow the Chinese government to demand that companies operating in China provide access to any personal data in their possession. The divestiture of TikTok to the new U.S.-based joint venture successfully eliminates this threat since the app, data, and algorithm are no longer subject to the CCP’s authority. However, similar privacy and security concerns remain for other popular Chinese-owned apps, such as Temu and Shein. Congress will have to decide whether it will now turn its attention to other Chinese apps, as there will likely be many more in the future.

2. TikTok Offers a Blueprint for Addressing Security Risks for Chinese Apps

One way to address concerns about the CCP compelling a private company to turn over user data is to prevent the company itself from accessing the data. For example, some cloud providers guarantee data security by using end-to-end encryption where only the customer, and never the service provider, has access to the cryptographic keys used to protect their customers’ data. In the case of TikTok, the company had already developed a robust security solution, nicknamed “Project Texas,” which now appears to be the cornerstone of how it will address security risks.

In 2022, TikTok established TikTok U.S. Data Security (USDS), a subsidiary governed by an independent board of directors that would legally and technically separate data governance and content moderation of U.S. users from the global TikTok platform. USDS would store all U.S. data on Oracle cloud infrastructure and operate with U.S.-based personnel. Oracle would be responsible for inspecting the source code and ensuring no unauthorized U.S. data was sent to the parent company, and third-party auditors would provide regular independent verification that all other agreements were fully implemented. On top of all of that, the U.S. government would have additional oversight through the Committee on Foreign Investment in the United States (CFIUS), to which all third-party auditors and the board would report. TikTok estimated that the total endeavor would cost around $1.5 billion to get off the ground, and about half that much to operate annually.

Despite these robust protections and safeguards, a number of lawmakers rejected Project Texas, arguing it provided insufficient safeguards. And while TikTok moved forward with implementing much of its proposal, it never received CFIUS approval. Yet the new joint venture is a facsimile of Project Texas: U.S. user data will be secured in the Oracle cloud; Oracle will regularly review and validate source code; the U.S. entity will have responsibility for content moderation; and independent auditors will ensure privacy and security compliance. The main differences appear to be that the U.S. organization will be fully independent from TikTok, but CFIUS will not have continued oversight of the new entity. Those last two changes mostly balance each other out.

In short, TikTok’s original proposal in 2022 to establish legal, technical, and operational controls to mitigate security and privacy risks was likely sufficient. The unwillingness of CFIUS to sign off on that proposal meant that the company was not held to any standard. In future cases, regulators should encourage apps from countries of concern to adopt similar safeguards to protect American data.

3. Countries Can Use China’s Playbook Against It

Congress forced ByteDance to sell TikTok when it passed the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACAA) in 2024. PAFACAA requires app stores and Internet hosting providers to stop distributing “foreign adversary controlled applications” (i.e., TikTok) unless the owners execute a qualified divestiture. TikTok established a joint venture to comply with this law and President Trump’s subsequent executive order. ByteDance, the Chinese owner of the platform, will own a 19.9 percent stake in the new company, with three managing investors—Silver Lake, Oracle, and MGX—holding 15 percent shares each, and an assortment of other investors with the remaining stake.

As noted already, a joint venture was not strictly necessary to achieve the security guarantees that American policymakers wanted, even if that is one way to meet those goals. However, a joint venture does give U.S. owners and investors an opportunity to take control of this Chinese app. Indeed, the end result—a Chinese company forced to sell off part of its business to American ones to access the U.S. market—is a tactic that U.S. policymakers may have learned from China. In numerous industries, including automobiles, solar energy, and wind power, China has forced foreign companies to enter into joint ventures to access the Chinese market. For example, Beijing Sinnet Technology operates Amazon Web Services in China because of laws restricting the American company from owning and operating its own assets.

Now that China has a growing number of globally competitive firms seeking foreign market access, it will likely find that these tactics are less appealing when targeting its own companies. Forced joint ventures generally violate global trade rules; however, as long as China maintains its invasive data security and privacy practices, the United States and other countries may find it defensible to pursue this tactic in the name of national security.

4. China Is Still Not Offering Reciprocal Digital Market Access

Most of the debate on TikTok has always missed the larger issue: Chinese-owned apps operate freely in the West, but many foreign-owned apps, including popular American ones, are systematically blocked in China. While it is important to resolve the privacy and security threats from Chinese-owned apps, the United States also needs a strategy to address the deep imbalance from one-sided market access by Chinese tech companies. The TikTok deal circumvents a serious debate on this topic, since the app is no longer primarily Chinese-owned, but China still blocks many other U.S.-owned digital services, including Netflix, WhatsApp, and Google, even as Chinese competitors have access to foreign markets. A key pillar for trade negotiations with China should be to demand reciprocal market access, and if necessary, block Chinese apps from Western markets if China refuses to offer similar terms.

5. China’s Free Pass from the EU Should End

Despite Chinese laws granting the government broad access to user data held by private companies, EU regulators have been slow to react to the risk to European data. It was only recently, in July 2025, that European regulators announced a €530 million fine against TikTok for unlawfully transferring European data to China, in violation of the General Data Protection Regulation (GDPR) (The EU also fined TikTok in 2023 for improperly processing children’s data). In contrast, EU regulators have aggressively pursued American companies, arguably treating them with greater caution than their Chinese competitors.

TikTok has implemented Project Clover in Europe, a data enclave much like Project Texas but for European user data. While this initiative may address concerns about TikTok, many other Chinese companies offer apps in the European market with unmitigated privacy and security risks. EU regulators should decide whether they are willing to more forcefully investigate these privacy risks, or decide that when it comes to China, the GDPR is nothing more than a paper dragon.

Conclusion

Taken together, the TikTok deal closes one chapter of a long-running dispute but opens a far more consequential one. It demonstrates that targeted structural safeguards—rather than blanket bans—can mitigate privacy and security risks, while also exposing the costs of regulatory indecision and uneven enforcement. As Chinese tech companies continue expanding globally, governments will need a more coherent framework that balances openness with reciprocity, security with due process, and legitimate risk management with long-term economic strategy.