Chinese social video giant TikTok is opening two new data centres in Europe in the hope of assuaging fears over data privacy and Chinese access to user information. Experts warn this won’t be enough to settle the minds of regulators over Chinese access to user data or stop the “ban TikTok train” from gaining further momentum.
The new data security regime named “Project Clover” comes amid growing concerns from European and US politicians and follows a decision by the European Parliament, European Commission, and the EU Council to ban the app from staff phones. Regulators and lawmakers are concerned allowing its use on official phones will enable Chinese government officials access to user data. TikTok has long-denied claims it passes data from European or US devices to Beijing.
The new program will see a second data centre opened in Ireland and another in the Hamar region of Norway, both of which will be run by an undisclosed third party. Oracle manages TikTok user data in the US on behalf of its parent company ByteDance.
“We are a pro-compliance company,” TikTok VP of government relations Theo Bertram said in a statement. “Tell us what the problems are, and then let’s work together on the solutions. That’s been our approach int he US, that’s been our approach everywhere. Our approach is very much open to governments, regulators, and experts to give us their counsel and advice on how we can do this even more effectively,” he added.
TikTok says the project is similar to “Project Texas” in the US and will reduce the amount of user data transferred out of the European Union as well as reduce how much access employees have to user data internally. “Our existing data access controls already highly limit access to user data. Building on our data security approach in the US, we are further enhancing these controls by introducing security gateways that will determine employee access to European TikTok user data and data transfers outside of Europe,” the company said.
“This will add another level of control over data access. Any data access will not only comply with the relevant data protection laws but also have to first go through these security gateways and additional checks,” it added, confirming it would also introduce external oversight of EU user data. It will be “overseen and checked by a third-party European security company who will audit our data controls and protections, monitor data flows, provide independent verification and report any incidents.”
TikTok measures unlikely to stop calls for a ban
Not everyone agrees this will be enough to stop the ongoing calls for an outright TikTok ban. “I see this ‘ban TikTok train’ as barreling forward – regardless of how ByteDance feels about that, and regardless of how much they try and work to convince us collectively otherwise,” says Shelly Kramer, principal analyst at Futurum Research. “The reality that governments know is that any Chinese-based company is ultimately controlled by the Chinese government. Full stop.”
Kramer believes the only way TikTok can have a long-term future in the West is if it sold to a Western company, and says any sale would have to include its technology and back-end operations. “Less than a year ago we had reports of access to recordings of internal staff meetings and presentations, and even a member of TikTok’s trust and safety department team being cited as allegedly saying ‘Everything is seen in China’ and another, an engineer based in China, saying that China ‘had access to everything.’,” she added.
Even a partial ban of TikTok would impact million of users. Kramer believes “something needs to change, and it’s not more assurances by ByteDance around data protection.” She explains: “The real issue is the fact that TikTok is a Chinese-based company and there are likely legitimate concerns about what this kind of access to users, their habits, their data provides across the board.”
Putting a few data centres in Europe or the US, or partnering with a company like Oracle to manage data as ByteDance did in the US, is unlikely to move the needle with regulators. “TikTok’s recent announcement is a tick box exercise in order to try to satisfy potential future regulation,” says Caroline Carruthers, CEO of data consultancy Carruthers and Jackson.
“Following the Schrems II ruling, businesses operating within the EU were required to ensure users data had to be stored locally – as a result new data centres are popping up all over Europe as enterprises look to comply with the regulation. However, in practice, this doesn’t make a difference to users privacy as digital data can’t be constrained by geographic boundaries. While we have varying data privacy standards between nations and regions, users data is not a great deal safer because of a data centre being built.”