What Oracle’s TikTok Dance Can Teach Everyone About Good Data Governance

As of Jan. 22, TikTok is under new ownership — tech giant Oracle and investment firms Silver Lake and MGX now own a supermajority of TikTok USDS Joint Venture LLC, better known as US TikTok, with an estimated valuation of $14 billion. 

Oracle has received a copy of the TikTok algorithm and US users’ data — an estimated 150 million of them — to “re-train” the algorithm on this data without interference from the Chinese ByteDance owner, which is a 19.9% owner of the new US TikTok organization. 

Oracle is the “trusted security partner” with a 15% ownership stake in the US TikTo. The data governance implications of this transition speak not only to TikTok’s unique position as a social media platform originally owned in China but the ever-increasing expanse of data in the world. (TikTok recently settled a social media addiction lawsuit.)

Oracle’s mandates for the US version of the app include: 

Data sovereignty and hosting

• Exclusive hosting: Oracle will store all sensitive US user data within its secure Oracle Cloud infrastructure in the US.
• Access controls: Oracle is responsible for establishing and maintaining firewalls to ensure that ByteDance employees in China cannot access US use information.

Algorithm oversight and retraining

• Independent algorithm: Because Chinese law prohibits the outright sale of the algorithm, the US joint venture will lease a copy. Oracle will oversee the “retraining” of this algorithm from the ground up using only US data.
• Integrity monitoring: Oracle will continuously audit the recommendation engine to ensure the content feed is free from outside manipulation or foreign influence.
• Source code review: In partnership with the US government, Oracle will inspect the app’s source code for backdoors or unauthorized access points.

Compliance and auditing

• Validation: Oracle is tasked with auditing and validating that the new US entity complies with all national security terms set by the US government.
• Secure gateways: Oracle will build and manage secure gateways that allow US users to remain globally interoperable (interacting with international users) while keeping domestic data isolated.

Financial and strategic interest

• Revenue impact: TikTok is one of Oracle’s largest cloud customers, contributing an estimated $800 million in revenue for fiscal year 2025.
• Board representation: While not managing daily social media operations, Oracle’s involvement supports the new seven-member board, which will be 85% American-controlled.

Data Privacy

The US Is Not Alone in Regulating Children’s Data Privacy. Here’s a Primer on the Global State of Play.

by Ceren Canal Aruoba

February 2, 2026

Emerging policies extend beyond data privacy into product governance and algorithmic accountability

Read moreDetails

Data governance roadmap

Oracle’s mandate as the US TikTok data steward provides a basic roadmap for other organizations looking to build their own data governance programs. This is especially relevant as legal requirements, regulatory scrutiny and technological advances are all increasing at a rapid rate.

With 20 US states’ having passed comprehensive consumer privacy and data protection laws and over 100 new laws and regulations focused on AI systems and services, compliance is becoming increasingly chaotic, and the ever-growing volume of data that organizations collect, use, share and store requires decisive efforts in data governance and privacy.

Oracle’s obligations to US TikTok trace fair information practices and principles, which can benefit all organizations in building their data governance and compliance projects and programs, including:

Data knowledge

To exercise sovereignty over digital assets you must know what assets you have, where they are located and who has access to them. Set up a data governance council (DGC) to map data inflows/outflows and classify data into governance schemas, such as operational and/or marketing data, personal information, human resources data and confidential data.

All systems assessments

Every system, both internally and externally sourced, must be inventoried and provenance established to determine how they all interact. Unknown or rogue AI systems pose significant regulatory risks. All vendors must be rigorously vetted to verify integrity and outcomes. Identify all first- and third-party data connections, vet the vendors exposed to data classification type, bind internal/external PI vendors to data protection agreements. Keep a human in the loop of decision-making software and, if AI is involved, voluntarily disclose that fact to the end users.

Test, test and retest

Data management compliance is a relentless process requiring frequent and recurring examinations. Conduct routine audits of all systems to detect gaps in functionality, transparency and risk/response capabilities.

Accountability

To receive the true benefit from digital assets management programs, someone needs to be empowered to measure and report on the value impact of managed digital assets financially, reputationally and risk regulatorily. Set up a data governance czar with autonomy to report to C-suite executives and board committees committed to data value and integrity.

While these principles and practical guidance may seem simplistic, many US companies are still resisting the reality and importance of data governance and structured management as a value center. In many ways, the regulatory environment, whether international, national or local, does not matter. Rather, the value realized through organizational discipline and honored digital asset governance systems comes from knowing the organization is a good steward of personal data that consumers can trust. 

When this is established, it positions the organization to mitigate and defend against regulatory, cybersecurity and litigation risks, as well as lessen compliance chaos and avoid digital entropy.