TikTok Informs European Users Its Staff In China Accesses Their Data

Privacy policy update ensures data of continent’s users accessible to range of TikTok bases including in the US, Brazil, and Israel

TikTok is pointing out to its European users that their data can be accessed by staff outside the continent, including in China, amid regulatory and political concerns about Chinese access to user information on the platform.

The Chinese-owned social video app is updating its privacy policy to ensure that employees in countries, including China, are permitted to access user data to ensure their experience of the platform is “consistent, enjoyable, and safe”.

The other countries where European user data could be accessed by TikTok staff include Canada, Brazil, and Israel along with Singapore and the United States, where European user data is stored currently.

TikTok’s head of privacy in Europe, Elaine Fox, said:

“Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognized under the GDPR [the EU’s general data protection regulation], we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States, remote access to TikTok European user data.”

Data could be used to perform checks on aspects of the platform, including the performance of its algorithms, which suggests content to users, and identifies vexatious automated accounts. TikTok has previously admitted that some user data is accessed by staff of the company’s parent, ByteDance, in China.

TikTok Data Privacy Challenge

In a letter to Republican senators published in July, TikTok’s chief executive, Shou Zi Chew, said a “narrow set of non-sensitive” US user data could be inspected by foreign employees if authorized by a US-based TikTok security team. He added that none of the data was dished out to Chinese government officials.

This privacy policy update, which concerns the UK, Switzerland, and the European Economic Area, and which goes live on 2 December, occurs against a backdrop of regulatory and political pressure over the use of data generated by the app, which has over a billion users globally.

The US President, Joe Biden, has stopped executive orders from his predecessor, Donald Trump, ordering to dispose of TikTok’s US business, but in their place, he has requested the US commerce department to provide recommendations to secure the data of people in the US from “foreign adversaries”.

The Committee on Foreign Investment in the US, which examines business deals with non-US companies, is also carrying out a security review of TikTok. Ireland’s data watchdog, which has jurisdiction over TikTok across the EU, has also started an investigation into “transfers by TikTok of personal data to China”.

Michael Veale, an associate professor in digital rights at University College London, said that under a recent EU ruling data transfers between the bloc and China would have to be examined for security. “It is extraordinarily difficult to routinely send EU user data to China because contracts between a Chinese and a European company can’t prevent state access.”

Under a European Court of Justice ruling labeled Schrems II, specific data transfers outside the EU must consider “the level of protection”, with a special focus on access by state authorities, given to the user’s data at the other end.

Veale said China’s data laws could result in questions being posed over the security of even limited data transfers. However, he added: “I’m not convinced that the Chinese government’s focus is currently on spying on individuals’ TikTok data. They have other means to access private information. Growing and deepening an influential platform is itself a powerful goal.”

In a blog post in 2021 TikTok said it was “aligned” with the regulatory direction laid out by the Schrems II ruling. In the UK, the Information Commissioner’s Office, the country’s data watchdog, is discussing new guidance for data transfers post-Brexit. However, the government has suspended a new data reform bill.

Last month, TikTok challenged a report in the business publication Forbes that it was used to “target” US citizens. Forbes had reported that it intended to keep tabs on the location of at least two people via the video-sharing app.

In the privacy policy update, Fox said TikTok did not gather “precise location information” from users in Europe, whether predicated on GPS technology or otherwise. In its current iteration the privacy policy states: “With your permission, we may also collect precise location information (such as GPS).”