After admitting that it stored some EU user data on Chinese servers, TikTok will now be facing a new data transfer investigation headed up by Ireland’s Data Protection Commission.
A prior investigation that concluded earlier this year established that TikTok had allowed remote access to EU data by engineers in China, something that wrapped up with a €530 million (about $620 million) fine. But in the late stages of that investigation, TikTok admitted that some EU user data had in fact migrated to Chinese servers.
New data transfer investigation stems from TikTok admission during previous probe
TikTok voluntarily notified EU regulators of the data transfers as part of its construction of new data centers in the region. The so-called “Project Clover” broke ground in 2023 and thus far has resulted in the establishment of regional data centers in Dublin and Norway that have since gone operational and one more under construction in Ireland, with a total commitment of 12 billion euros by the social media giant. TikTok said that it discovered the errant data transfers as part of new monitoring procedures it put in place as part of this project, and has deleted what it called a “minimal” amount of EU user data that wound up being sent to China.
The new inquiry again examines potential violation of the terms of the General Data Protection Regulation (GDPR), specifically Articles 5(2) (accountability), 13(1)(f) (transparency information in relation to third country transfers), 31 (obligation to cooperate with the supervisory authority) and Chapter V GDPR (compliance with the relevant requirements for third country transfers).
China remains without an adequacy decision from the EU, given its government’s open policy of free access to all user data held by companies within its borders. While ByteDance has yet to be shown to be providing any of this data to the Chinese government, it can be compelled to at any time under the country’s national security law and would not be obligated to notify any impacted parties nor provide them with any sort of redress.
TikTok has appealed the prior fine it received, claiming that though it was possible for engineers in China to access data in other countries the mechanism that was called into question had been deprecated and not actually used for a long time.
Data transfers issue continues string of mishaps and oversights for TikTok
The mere theoretical possibility of the Chinese government helping itself to the contents of data transfers has caused ByteDance no end of headache and expense over the last few years, to include ultimately being pressed by the United States government to divest its entire overseas TikTok operation and sell it to an American company. Much of this tumultuous period has been owed to a repeated pattern of the company seeming to appease assorted foreign regulators with big “onshoring” privacy moves, only for some oversight allowing data to continue to flow to China to emerge and throw the whole thing back into chaos again.
The roots of all of this are in the final years of the first Trump administration, which in 2019 declared a national emergency over exploitation of vulnerabilities in communications technologies by foreign adversaries. That campaign saw aggressive moves against companies like Huawei and Xiaomi all the way through the administration changeover in January 2021, and Trump’s attention turned to TikTok as well with the first proposal that it either sell to a US firm or be banned from US app stores. The Biden administration then opted to cool the temperature somewhat, reaching a deal with ByteDance to implement “Project Texas” and create data centers in the US and Singapore overseen by Oracle.
That seemed to resolve things until internal company leaks showed that Chinese engineers were still accessing the data of US users, which then prompted a harder stance by the Biden administration and eventual adoption of the Trump “sell to a US firm or be banned” policy in its outgoing period. While Trump continued with that policy once in office again this year, his view of the company softened due to perception that it aided in drumming up the youth vote for him. Trump continues to demand that the company find a US suitor but has granted it multiple extensions via executive order that keep it from being removed from the app stores, most recently adding a 90-day extension (the third granted thus far) in June.
It remains to be seen what impact this eventual sale will have on TikTok’s data transfer issues in the EU. The US received an adequacy decision about two years ago that has thus far held up, though privacy group “noyb” has floated the idea of a “Schrems III” challenge. In the interim, two of the three Project Clover data centers are operational and TikTok recently announced a three-year extension of its ongoing partnership with the UK’s NCC Group to provide security monitoring.
