TikTok postpones opening of first European data center again TechCrunch

TikTok has again delayed the timeline for opening its first data center in the European Union, in Dublin, Ireland, saying the facility is not expected to be fully operational until next year.

The video-sharing social network has been following plans since 2020 to store the data of EU, EEA and UK users in the region.

This data center in Ireland was originally intended to be operational in early 2022. That timeline was then pushed back to late 2022. Now it’s shifted to 2023.

Currently TikTok user data is kept outside the region, in Singapore or the US

Asked about this extended delay, a spokeswoman for TikTok said: “We initially announced our intent to establish a data center in August 2020. The challenges posed by the ongoing global pandemic have significantly affected our original timeline.”

A European “Transparency and Accountability Center” – announced by TikTok in April 2021 as a hub where outside experts could get information about its platform practices in areas such as content moderation, security and privacy – has been virtually operational since last year, also taking into account the coronavirus pandemic, with the company saying it would also open a physical center in Ireland in 2022.

TikTok has been grappling with user data security concerns for years as its parent company, Beijing-based ByteDance, is subject to China’s Internet Security Act — which has given the Chinese Communist Party sweeping powers to obtain data from digital companies since 2017.

The Irish Data Protection Commission (DPC), TikTok’s lead EU privacy regulator, announced two investigations into the company’s data processing activities in September 2021 – one focused on international data transfers and the other on handling children’s data. Since then, there has been no update on the progress of the investigation. (We’ve asked about the data transfer investigation and will update if we get a response from the DPC.)

The issue of exporting personal data from the EU has been mired in legal uncertainty for years, following revelations in 2013 by NSA whistleblower Edward Snowden about how massive government surveillance programs extract data from consumer services such as social networks. (Facebook continues to face uncertainty over the legality of its data transfers between the EU and the US over a very long-running data transfer complaint, for example with a revised draft decision sent to the company in February.)

While the Snowden revelations centered on the US government’s interception of bulk data, the Chinese state’s digital surveillance of the internet is just as much (and for some, arguably more) problematic from a privacy standpoint. This puts TikTok, as a Chinese-owned social network, in a tough spot in terms of data security and data management.

Data localization has been proposed as a way for internet companies to mitigate this type of data transfer-based legal risk and — as far as the EU is concerned — seek compliance with regional data protection rules that require Europeans’ personal data to enjoy the same legal level. guarantees if it is exported outside the block as it is inside.

A global social network like TikTok, which does not apply the use of the firewall regionally, will never be able to completely silo the data based on the user’s region of origin. For example, an EU-based TikTok user can comment on the video of a US-based TikTok user, or vice versa. Where is that data stored?

That said, there may be a case where certain types of international data flows that take place on these platforms can rightfully claim legal ground as so-called “necessary transfers” under EU law, such as messages intentionally sent between users.

And if most of TikTok’s EU users’ data is stored in the bloc, local privacy regulators can get a kinder view of those remaining data exports, too.

TikTok describes its plan to locate EU users’ data in the region as a “European data management strategy” – highlighting other measures it claims it is taking, such as “strictly limiting” employees’ access to personal data. data and minimizing data export – so that seems to be his hope.

At the same time, the company is building on concerns that followed recent data transfer enforcements by EU regulators — such as decisions finding data breaches related to the use of products such as Google Analytics and Stripe — by pointing out that global products need data to flow to function properly.

“Such a regional approach to data governance allows us to stay aligned with European data sovereignty goals,” TikTok’s head of privacy in Europe, Elaine Fox, argued in a blog post today. “At the same time, we are minimizing data flows outside the region in a way that allows us to maintain the global interoperability needed to ensure that our users here stay connected to our 1 billion strong community — and enjoy the benefits of a global experience the product.”

The export of personal data from the EU is not illegal, period. The bloc’s highest court left the door open for data transfers to so-called third countries in its July 2020 ruling, which invalidated a key data transfer agreement between the EU and the US — and said it was still possible to export data using mechanisms like standard contractual clauses (which TikTok’s Fox says the company uses) – as long as That the overarching condition of adequate protection of the data of persons in the country of destination has been met.

The EU’s European Data Protection Board followed that ruling with advice on so-called additional measures that controllers may be able to apply to increase the level of protection to the required legal standard.

And while TikTok claims it uses a mix of such measures to secure transfers, it doesn’t go into specifics about what it does. (That’s presumably what the DPC will assess in its data transfer investigation.)

“Where data transfers outside the region are required, we rely on approved methods for data transfers from Europe, such as standard contractual clauses,” Fox wrote. “We also apply a series of additional technical, contractual and organizational measures to ensure that these transfers receive an equivalent level of data protection as in the UK and the EEA. In practice, this means that all personal data is protected by a robust set of physical and logical security controls, along with various policies and data access controls for employees.”

TikTok arguably has more cause for concern about the data transfer issue than US-based internet services, as China simply won’t get a transfer deal from the EU (regardless of adopting its own data protection regime; geopolitically, it’s not workable) — while the US and the EU announced last month that they had reached a political agreement on a replacement transatlantic data transfer agreement. (Adoption will likely take months, though.)

That means US tech platforms like Facebook are looking forward to the prospect of — at the very least — another extended grace period as they continue to pass data and before a new legal challenge to EU-US data flows could once again negate the regime.

As a Chinese entity, TikTok cannot rely on such a backstop.

So it’s not surprising that elsewhere in its blog post, the video-sharing service tries to increase the economic value of its regional operations, writing: “We have thousands of employees across the region, working on brand engagement, among other things. and creators, e-commerce, monetization, music, privacy, product, public policy, R&D and trust and security.We have announced permanent offices in two of our main global hubs, Dublin and London.We are strengthening our local leadership teams in France, Italy and Spain further and scale up our activities in new markets such as Belgium and the Netherlands.”

However, data transfer is not TikTok’s only woes in Europe.

The social network is also facing additional regional consumer protection inquiries – with the European Commission starting a formal dialogue on its ToS last year following a series of complaints.

In the UK, the company is also subject to a privacy class action-style lawsuit over children’s data processing.

Leave a Comment