An update to the company privacy policy now makes clear that TikTok user data gathered in Europe is made available to staff in China, amidst an investigation by the Irish Data Protection Commission (DPC) into whether its data transfers meet the standard established by the General Data Protection Regulation (GDPR).
The privacy policy now makes clear that TikTok user data is transferred to a number of third countries for “important functions,” China among them. It is unclear if this announcement was made in connection with the ongoing GDPR investigation, but the new terms stand to invalidate the company’s ability to transfer EU user data under the terms established by the Schrems II decision. TikTok has said that it has a plan in place to localize EU user data, but it would not be complete until at least 2023.
EU TikTok user data sent to China, other countries without adequacy agreements
Though parent company ByteDance ran into prior trouble with sending TikTok user data from the United States to China (after assurances that it would stop doing so), this privacy policy update applies exclusively to countries in Europe and is slated to take effect on December 2.
China is just one of a number of countries with which EU and UK TikTok user data is shared with “employees within (the) corporate group.” Some, such as Canada, Israel and Japan, have data adequacy agreements in place. Others, such as Brazil and the Philippines, do not. The new privacy policy also states that EU TikTok user data is being stored in the US and Singapore; neither country has an adequacy decision, and concerns about US government interception of EU personal data is what prompted the Schrems II decision in the first place.
TikTok says that it has legally valid Standard Contractual Clauses (SCCs) in place that cover the data transfers with these assorted countries, but details are not provided about what measures are taken to protect user data from outside access.
The privacy policy update also did not include much specific detail about what elements of TikTok user data are passed to these foreign employees, but it did say that location data is shared in some cases. This can happen when users manually add a location to a video they upload, or when they turn on the “Location Services for TikTok” setting. However, the company claims that it does not collect “precise” location data such as GPS coordinates.
The legal issues over international movement of TikTok user data flared up in the US in the final year of the Trump administration, as it sought to ban the company from app stores over national security concerns. The Irish DPC has been conducting its own investigation into the issue since 2021, but with a focus on GDPR compliance under the Schrems II terms that require partner nations to have a comparable data protection law. An initial draft decision on the matter is expected sometime in the first quarter of 2023, with binding terms potentially issued within several months after that.
Privacy policy raises questions about TikTok’s future status in Europe
The use of SCCs is no guarantee of legal transfer of TikTok user data per the GDPR terms, as each SCC must be individually assessed and it is unclear if the ones cited in association with the privacy policy have been reviewed as of yet.
TikTok’s big move to shore up its EU status has been the construction of a data center in Ireland, something that has been underway since 2020. EU TikTok user data will be stored locally once the facility is complete. However, the facility was supposed to be complete in early 2022 but has suffered several delays, the most recent of which has pushed the expected opening date back to sometime in 2023.
The flap over US TikTok user data potentially shines some light on the situation, as it came from a leak of internal company chats that was supplied to the media. The content of those chats suggest in several places that engineers in China essentially have free access to US user data, and that TikTok branches in other countries frequently need to grant access to Chinese staff as they simply do not know how certain aspects of the platform work. While that may seem like a relatively innocuous internal matter, other nations are concerned due to China’s national security policy granting the government ready access to any data that is stored within the country.
TikTok has inarguably suffered serious public relations damage from its insistence on maintaining connections to China from foreign countries, but it also remains wildly popular among younger users (including underage users that have special protections under national laws).
Claude Mandy, Chief Evangelist for Data Security at Symmetry Systems, sees this as a collision course for harsh regulations or even bans if the company does not start practicing “radical” transparency to reassure both parents and members of the government that have national security concerns: “The changes to their privacy policy by TikTok to reflect their actual engineering and fraudulent account practices should be commended; although will generate alarm bells primarily to the geographic spread of their employees with this level of access. A lot of the parents, like myself at Symmetry Systems, would be comforted to see more ongoing and somewhat radical transparency from tech companies like TikTok with detail on the number of employees with this level of access; and how much information from how many TikTok users were viewed in accordance with the different lawful uses outlined in the policy. It is only with modern data security practices that monitor actual operations in accordance with their privacy against personal information that TikTok will be able to provide sufficient transparency like this to privacy regulators, users and governments that they are truly privacy conscious.”
