TikTok has again delayed the deadline for opening its first data center in the European Union in Dublin, Ireland, saying the facility won’t be fully operational until next year.
The video-sharing social network follows a plan to store data from users in the EU, EEA and UK in the region from 2020.
This data center in Ireland was originally scheduled to be operational in early 2022. This schedule was then pushed back to the end of 2022. It has now been pushed back to 2023.
Currently, TikTok user data is stored outside of the region, either in Singapore or the US.
When asked about this long delay, a TikTok spokesperson said: “We originally announced our intention to set up a data center in August 2020. Issues related to the ongoing global pandemic have significantly impacted our original schedule.”
The European “Center for Transparency and Accountability”, announced by TikTok in April 2021 as a hub where third-party experts can access information about its platform’s practices in areas such as content moderation, security and privacy, has previously operated for almost many years. including . Due to the coronavirus pandemic, the company said it would also open a physical center in Ireland in 2022.
TikTok has been battling user data security issues for years as its Beijing-based parent company ByteDance is subject to China’s Internet Security Law, which has granted the Chinese Communist Party sweeping rights to obtain data from digital companies since 2017.
The Irish Data Protection Commission (DPC), head of TikTok, announced two investigations into the company’s data processing activities in September 2021, one on international data transfers and the other on children’s data processing. Since then, however, no information has been received on the progress of his investigation. (We have requested information on the data transfer investigation and will let you know if we get a response from the DPC.)
The issue of exporting personal data from the EU has been shrouded in legal uncertainty for years after NSA whistleblower Edward Snowden exposed in 2013 how massive government surveillance programs extract data from consumer services such as social media. (Facebook is facing uncertainty about the legality of its data transfers due to a very longstanding EU-US data transfer complaint, such as a revised draft decision sent to the company in February.)
While Snowden’s revelations focused on the US government intercepting large amounts of data, the Chinese state’s digital surveillance of the Internet is equally (and for some, perhaps even more so) problematic from a privacy standpoint. This puts TikTok as a Chinese social network in a difficult position in terms of data security and data management.
Data localization has been suggested to internet companies as a way to reduce this type of legal risk associated with data transfers and – as far as the EU is concerned – to try to comply with regional data protection regulations that require the personal data of Europeans. The level of protection of legal guarantees both outside the unit and inside.
A global social network such as TikTok that does not require the use of firewalls at the regional level will not be able to completely disaggregate the data store based on the user’s home region. For example, an EU TikTok user can comment on a US TikTok user’s video, or vice versa. Where is this data stored?
However, there may be a case where certain types of international data streams occurring on these platforms can claim legal basis under EU law as so-called “basic transfers”, for example those intentionally sent between users.
And if the data of the majority of EU TikTok users is stored in blocks, local privacy regulators can also get a better idea of this remaining exported data.
TikTok describes its plan to track EU user data in this area as a “European data governance strategy,” highlighting other announced measures such as protecting employees from accessing personal data, “Strictly restricting access” and reducing data exports. so that seems to be his hope.
At the same time, the company is tackling concerns that EU regulators have recently implemented data breaches — solutions to detect data leaks associated with the use of products such as Google Analytics and Stripe — by indicating that global products need data. for correct operation.
“This regional approach to data governance allows us to meet European data sovereignty goals,” Ellen Fox, TikTok’s head of privacy for Europe, said in a blog post today. “At the same time, we are reducing data flows out of the region, allowing us to maintain the global interoperability needed to ensure our users stay connected to our billion-plus community – and through a global experience.” Rate the benefits. product.”
Exporting personal data from the EU is not illegal, period. The bloc’s Supreme Court, in its July 2020 ruling, left the door open for data transfers to so-called third countries, invalidating a major data transfer agreement between the European Union and the US, and stated that using mechanisms such as the standard. data export is possible. Contract clause (which TikTok’s Fox says the company uses) – provided that some kind The broad condition for adequate protection of data of natural persons in the country of destination is met.
In response to this decision, the European Data Protection Board of the European Union has made recommendations on so-called additional measures that controllers can take to raise the level of protection to the required legal standard.
And while TikTok claims to use a combination of such measures for secure transmission, it doesn’t go into the details of what it does. (This is likely something that the DPC will evaluate in their investigation of data transfers.)
“Where data transfers outside the region are required, we rely on accepted data transfer practices from Europe, such as standard contractual clauses,” writes Fox. “We are also implementing a number of additional technical, contractual and organizational measures to ensure that these transfers provide the same data protection as in the UK and EEA. In practice, this means that all personal data is protected by a strong set of physical and logical security controls, as well as various policies and data access controls for employees. ,
TikTok may have more reason to be concerned about data transfers than U.S. internet services, as China won’t get a data transfer deal from the EU (despite adopting its own data protection regime; geopolitically speaking) from which it impractical). – while the US and EU enthusiastically announced last month that they had reached a political agreement to replace the transatlantic data transfer agreement. (However, acceptance may take months.)
This means that US tech platforms like Facebook are waiting for – at least – the prospect of another extended grace period as they continue to transfer data and regime before a new legal challenge to EU-US data flows can be resumed.
As a Chinese organization, TikTok cannot rely on such support.
So it’s not surprising that in a blog post elsewhere, the video-sharing service seeks to increase the economic value of its regional operations, writing: “We have thousands of employees across the region, including but not limited to brands and creators working to include e-commerce, monetization , music, privacy, products, public policy, research and development, and trust and security. We have announced the establishment of permanent offices in our two main global centres, Dublin and London. We are strengthening our local leadership teams in France, Italy and Spain are expanding into new markets such as Belgium and the Netherlands.
However, data transmission is not the only trouble TikTok has in Europe.
In the UK, the company is also subject to a class-action privacy lawsuit in connection with the processing of children’s data.