TikTok has taken numerous steps to reassure its users in Europe that its service is safe and private, and the latest of these is the opening of a new data center based in Dublin. The move comes as TikTok is weathering multiple privacy probes and was recently fined for its mishandling of children’s data by the European Data Protection Board (EDPB).
TikTok data centers meant to assure EU users that personal information does not flow to China
The opening of the Irish data center is part of the final stage of a EU privacy plan TikTok kicked off in mid-2021, seeking to address user data security concerns and the legal status of its international data transfers in the wake of the Schrems II decision. This began with the appointment of local EU data protection teams, formally establishing main EU offices in Ireland and the UK for regulatory purposes, and establishing a security-focused “Fusion Center” in Dublin meant to reduce risks to platform users.
TikTok also announced the establishment of three data centers in the EU meant to store and process regional user data to satisfy EU privacy rules, with groundbreaking on them initiating in early 2023. The Dublin location is the first to open its doors and begin receiving transfers of user data, with another in Ireland and one in Norway under construction and expected to be operational in the near future.
Concerns about China-based data centers and EU privacy kicked off with a set of new security and data privacy laws put in place by the CCP in recent years, formally granting it very broad power to essentially help itself to any information stored in the country with little to nothing in the way of judicial oversight or third-party monitoring. TikTok has weathered off-again on-again threats of a ban from United States app stores over this development, something that prompted it to develop the “Project Texas” initiative to transfer user data to servers in the US and Singapore that are monitored by Oracle. This is not limited to US user data, with essentially every nation outside of China now having its TikTok traffic routed through these servers to avoid even the appearance or possibility of CCP access to personal information.
This has opened TikTok up to a different issue in terms of EU privacy law, however, as the bloc did not view the US as an adequately secure data transfer partner until recently (Singapore additionally has yet to receive an adequacy decision). With yet another legal challenge to EU-US data transfers looming, TikTok is taking the expensive but safest possible path in migrating all EU data processing to local servers.
TikTok maintains that it has never provided user data to the Chinese government, but its extensive moves with “Project Texas” and “Project Clover” are primarily to assure the US and Europe that there is no possibility of this happening. It has seen broad pre-emptive bans from government devices in both of these regions including at the EU Council, European Parliament and the European Commission.
TikTok continuing to roll out EU privacy plan
In addition to building the new data centers in Ireland and Norway, TikTok is entering into a relationship with a third party monitoring company similar to Oracle’s oversight of its servers in the US. Cybersecurity firm NCC Group will be contracted to audit TikTok’s data handling and security controls in the region to provide EU privacy assurances. The two firms have announced that they will brief policymakers on the details of this system in the coming months, but NCC will reportedly be in direct communication with EU regulators without the involvement of TikTok.
TikTok continues to face multiple EU privacy challenges even as it implements its new data center strategy. The terms of the Digital Services Act, which went into enforcement late last year, prompted it to put an end to targeted advertising and personalized recommendations directed at users under the age of 18. Despite this, TikTok was hit with large fines over the summer (from both the EU and UK) for improperly processing the data of minors.
TikTok’s EU privacy difficulties thus far have mostly been centered on children’s data privacy issues and the same sort of international data transfer problems that companies like Meta are weathering. However, it was fined by the French data protection authority in January for being too opaque about cookie use and making it too difficult to refuse them. Issues involving TikTok are usually routed through the notoriously slow Irish DPA, but France was able to act directly in this case due to a national data protection law that largely comports with the General Data Protection Regulation (GDPR). And while TikTok had appeared to have cleaned up its relationship with the US government, leaked information about internal data handling led the Biden administration to state that it would ban the company from the US at some point if owner ByteDance did not find a suitable buyer in the country.