TikTok is spelling out to its European users that their data can be accessed by employees outside the continent, including in China, amid political and regulatory concerns about Chinese access to user information on the platform.
The Chinese-owned social video app is updating its privacy policy to confirm that staff in countries, including China, are allowed to access user data to ensure their experience of the platform is “consistent, enjoyable and safe”.
The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently.
TikTok’s head of privacy in Europe, Elaine Fox, said: “Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognised under the GDPR [the EU’s general data protection regulation], we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States, remote access to TikTok European user data.”
Data could be used to conduct checks on aspects of the platform, including the performance of its algorithms, which recommend content to users, and detect vexatious automated accounts. TikTok has previously acknowledged that some user data is accessed by employees of the company’s parent, ByteDance, in China.
In a letter to Republican senators disclosed in July, TikTok’s chief executive, Shou Zi Chew, said a “narrow set of non-sensitive” US user data could be viewed by foreign employees if approved by a US-based TikTok security team. He added that none of the data were shared with Chinese government officials.
The privacy policy update, which applies to the UK, the European Economic Area, and Switzerland, and which goes live on 2 December, takes place against a backdrop of political and regulatory pressure over use of data generated by the app, which has more than a billion users worldwide.
The US President, Joe Biden, has scrapped executive orders from his predecessor, Donald Trump, ordering the sale of TikTok’s US business, but in their place he has asked the US commerce department to produce recommendations to protect the data of people in the US from “foreign adversaries”. The Committee on Foreign Investment in the US, which scrutinises business deals with non-US companies, is also conducting a security review of TikTok.
Ireland’s data watchdog, which has jurisdiction over TikTok across the EU, has also launched an investigation into “transfers by TikTok of personal data to China”.
Michael Veale, an associate professor in digital rights at University College London, said that under a recent EU ruling data transfers between the bloc and China would have to be vetted for security. “It is extraordinarily difficult to routinely send EU user data to China because contracts between a Chinese and a European company can’t prevent state access.”
Under an European Court of Justice ruling dubbed Schrems II, certain data transfers outside the EU must take account of “the level of protection”, with particular focus on access by state authorities, afforded to the user’s data at the other end.
Veale said China’s data laws could lead to questions being raised over the security of even limited data transfers. However he added: “I’m not convinced that the Chinese government’s focus is currently on spying on individuals’ TikTok data. They have other means to obtain private information. Growing and deepening an influential platform is itself a powerful goal.”
In a blog post last year TikTok said it was “aligned” with the regulatory direction set out by the Schrems II ruling.
In the UK, the Information Commissioner’s Office, the country’s data watchdog, is consulting on new guidance for data transfers post-Brexit. However, the government has paused a new data reform bill.
In October, TikTok denied a report in the business publication Forbes that it was used to “target” US citizens. Forbes had reported that it planned to track the location of at least two people via the video-sharing app.
In the privacy policy update Fox said TikTok did not collect “precise location information” from users in Europe, whether based on GPS technology or otherwise. In its current iteration the privacy policy states: “With your permission, we may also collect precise location information (such as GPS).”