TikTok says staff in China have access to European user data

3 Nov 2022

Image: © Ascannio/Stock.adobe.com

Other countries in which some TikTok staff have access to European user data include Brazil, Canada, Israel, Japan, Malaysia and the Philippines.

TikTok has confirmed that employees in China and a host of other countries have remote access to European user data.

In an update yesterday (2 November), TikTok head of privacy for Europe Elaine Fox said that user data from the European Economic Area, Switzerland and the UK can be accessed by some staff in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea and the US.

Until now, the company owned by Chinese business ByteDance had only revealed that European user data was stored in the US and Singapore.

Concerns have been raised about Chinese access to user information on the video sharing platform. Last year, Ireland’s Data Protection Commissioner said some of TikTok’s EU data may be accessible to teams in China and there was “intensive engagement” with the company about how it manages data.

The Irish watchdog, which is the lead supervisor for TikTok under the EU’s data protection rules, then opened an inquiry into the company’s transfer of data to China and its compliance with GDPR when it comes to transferring data to third countries.

Announcing an update to its privacy policy for Europe this week, Fox said TikTok’s focus is on limiting the number of employees with access to European user data, minimising data flows outside of the region, and storing European user data locally.

But she detailed that “certain employees” in the listed countries have remote access to European TikTok user data “based on a demonstrated need to do their job”.

This access is subject to “a series of robust security controls and approval protocols, and by way of methods that are recognised under the GDPR,” she added. “Security controls include system access controls, encryption and network security.”

TikTok’s tussle with regulators

This update comes at a time when the popular social video app is coming under scrutiny across the globe for its data practices. Last month, it was announced that TikTok may be fined £27m in the UK for failing to protect the privacy of children on its platform.

In July, TikTok paused a privacy policy update that would allow for personalised ads without asking for users’ consent after receiving a warning from Italy’s data protection authority.

As well as its inquiry into data transfers to China, the Irish Data Protection Commission also launched an inquiry last year into how TikTok processes the personal data of children.

The privacy policy update may intensify scrutiny of TikTok’s data practices in Europe, where the platform has more than 220m users.

“In order to operate a global platform designed for sharing joyful content, we rely on a global workforce to ensure that our community’s TikTok experience is consistent, enjoyable and safe,” Fox said.

“TikTok does not collect precise location information, whether based on GPS technology or otherwise, from users in Europe.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic

editorial@siliconrepublic.com