TikTok has once again delayed the timeline for opening its first data center in the European Union, in Dublin, Ireland — saying the facility is now not expected to be fully operational until next year.
The video-sharing social network has been trailing plans to store the data of EU, EEA and U.K. users in the region since 2020.
This Ireland data center was initially slated to be up and running in early 2022. That timeline was subsequently pushed back to late 2022. Now it’s been punted into 2023.
Currently, TikTok user data is held outside the region, in either Singapore or the U.S.
Asked about this lengthy delay, a TikTok spokeswoman said: “We initially announced our intention to establish a data center in August 2020. The challenges resulting from the ongoing global pandemic have significantly impacted our original timeline.”
A European “transparency and accountability center” — which was announced by TikTok in April 2021 as a hub where outside experts could get info on its platform practices in areas like content moderation, security and privacy — has been operating virtually since last year, also on account of the coronavirus pandemic, with the company saying a physical center would also be opened in Ireland in 2022.
TikTok has faced concerns over the security of user data for several years on account of its parent company, Beijing-based ByteDance, being subject to China’s Internet Security Law — which, since 2017, has given the Chinese Chinese Communist Party sweeping powers to obtain data from digital companies.
Ireland’s Data Protection Commission (DPC), which is TikTok’s lead EU privacy regulator, announced two inquiries into the company’s data processing activities in September 2021 — one of which was focused on international data transfers, the other on its handling of children’s data. There’s been no update on the progress of its investigations since. (We’ve asked about the data transfers probe and will update if we get a response from the DPC.)
The issue of exports of personal data out of the EU has been mired in legal uncertainty for years, following revelations in 2013 by the NSA whistleblower Edward Snowden of how government mass surveillance programs were extracting data from consumer services like social networks. (Facebook continues to face uncertainty over the legality of its EU-U.S. data transfers in relation to a very long-running data transfer complaint, for example, with a revised draft decision sent to it in February.)
While the Snowden revelations centered on U.S. government bulk data intercepts, the Chinese state’s digital surveillance of the internet is equally (and for some likely even more) problematic from a privacy point of view. This puts TikTok, as a Chinese-owned social network, in a tricky spot on data security and data governance.
Data localization has been proposed as one way for internet businesses to shrink these sorts of data transfer-based legal risks and — as regards the EU — seek to comply with regional data protection rules that require Europeans’ personal data to enjoy the same level of legal safeguards if it’s exported outside the bloc as it has inside.
However, a global social network like TikTok, which does not firewall usage regionally, is never going to be able to entirely silo storage of data based on the user’s region of origin. An EU-based TikTok user might comment on the video of a U.S.-based TikTok user, for example, or vice versa. Where will that data be stored?
That said, there may be a case that certain types of international data flows taking place on these platforms could justifiably claim a legal basis as so-called “necessary transfers” under EU law — such as messages sent intentionally between users.
And if the bulk of TikTok’s EU users’ data is stored inside the bloc, local privacy regulators may also take a kinder view on those remaining data exports.
TikTok describes its plan to localize EU users’ data in the region as a “European data governance strategy” — emphasizing other measures it claims to be taking, such as “strictly limiting” employee access to personal data and minimizing data exports — so that appears to be its hope.
Simultaneously, the company is leaning into the concern that has followed recent data transfer enforcements by EU regulators — such as decisions finding data breaches in relation to use of products like Google Analytics and Stripe — by pointing out that global products need some data to flow in order to be able to, well, function.
“Such a regional approach to data governance enables us to stay aligned with European data sovereignty goals,” TikTok’s head of privacy in Europe, Elaine Fox, argued in a blog post today. “At the same time, we are minimising data flows outside of the region in a way that allows us to maintain the global interoperability needed to ensure that our users here remain connected to our 1 billion strong community — and enjoy the benefits of a global product experience.”
Exports of personal data out of the EU are not illegal, period. The bloc’s top court left the door open for data transfers to so-called third countries in its July 2020 ruling which invalidated a major EU-U.S. data transfer deal — saying it was still possible for data to be exported using mechanisms such as Standard Contractual Clauses (which TikTok’s Fox says the company uses) — provided that the overarching condition of adequate protection for people’s information in the destination country is met.
The EU’s European Data Protection Board followed that ruling with guidance on so-called supplementary measures that data controllers may be able to apply to raise the level of protection to the required legal standard.
And while TikTok claims it is applying a mix of such measures to secure transfers, it does not go into specific detail about what it’s doing. (That, presumably, is what the DPC will be assessing in its data transfer inquiry.)
“Where data transfers outside of the region are required, we rely on approved methods for data being transferred from Europe, such as standard contractual clauses,” Fox wrote. “We also employ a range of complementary technical, contractual and organisational measures so that these transfers are afforded an equivalent level of data protection to that in the U.K. and EEA. This means in practice that any personal data is protected through a robust set of physical and logical security controls, along with various policies and data access controls for employees.”
TikTok arguably has more cause for concern on the data transfers issue than U.S.-based internet services because China is simply not going to be granted a transfer deal by the EU (no matter having passed its own data protection regime; geopolitically speaking, it’s not workable) — whereas last month the U.S. and the EU announced that they’d reached a political agreement over a replacement trans-Atlantic data transfer deal. (Adoption will likely take months, however.)
That means U.S. tech platforms like Facebook can look forward to the prospect of — at the least — another extended grace period while they keep passing data and before any fresh legal challenge to EU-U.S. data flows could unpick the regime again.
As a Chinese-owned entity, TikTok won’t be able to rely on such a backstop.
So it’s unsurprising that elsewhere in its blog post the video-sharing service seeks to play up the economic value of its regional operations, writing: “We have thousands of employees across the region, working on areas including brand and creator engagement, e-commerce, monetisation, music, privacy, product, public policy, R&D and trust and safety. We’ve announced permanent offices in two of our most important global hubs, Dublin and London. We’re further bolstering our local leadership teams in France, Italy and Spain and are scaling our business in new markets such as Belgium and the Netherlands.”
Data transfers are not TikTok’s only woes in Europe, though.
The social network is facing additional regional scrutiny on the consumer protection front, too — with the European Commission initiating a formal dialogue over its ToS last year following a series of complaints.
In the U.K., the company is also subject to a privacy class action-style lawsuit over its processing of children’s data.