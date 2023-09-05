The social media giant is trying to reassure regulators and governments that its data flows for European users don’t end up in China

TikTok has hired a European security company to “independently audit” its data controls and data flows in Europe, in a move aimed at reassuring regulators and governments about data link-ups with Chinese authorities.

The social media giant, which employs 3,000 people at its European base in Dublin, is currently developing a second data centre in Ireland as part of its ‘Project Clover’ plan that divides its data regions.

The security company, NCC Group, is a UK-based publicly listed firm that specialises in cyber security and information assurance.

“The security gateways will restrict access to protected data by employees who are based in China,” said Elaine Fox, head of privacy for TikTok in Europe.

“Protected data includes all personal data of EU and UK users, including a user’s real name, email address, phone number, IP address and any financial information if it was shared, along with any content that a user saved with an audience of ‘only me’.”

Ms Fox said that there were exceptions to this protected data that include shared ‘public’ data, “aggregated’ data for statistics assessment and “interoperable” data to make the IT systems work.

The process will be co-managed by NCC Group and TikTok, said Ms Fox.

“We have engaged a third-party European security company to independently audit our data controls and protections, monitor data flows, provide independent verification, and report any incidents,” said Theo Bertram, TikTok’s vice president for public policy in Europe.

“As the independent security provider, they will monitor data coming in and out of the secure environment to independently validate that only approved employees can access limited data types. NCC Group will perform ongoing security assessments of the new security gateways we are building around European user data, the TikTok app, our data centres, and other TikTok infrastructure.”

Mr Bertram said that NCC will also “validate that network traffic of TikTok’s European user data must pass through the security gateways”.

TikTok, whose parent firm, Bytedance, is Chinese-owned, has been embroiled in controversy over whether Chinese authorities have access to its data systems. The company has consistently denied this. It has spent over €1bn setting up separate data flows in the US and Europe, with ‘Project Clover’ aimed at reassuring European fears by setting up a “secure enclave” for European TikTok user data.

In April, the Irish Government announced that it would restrict the use of TikTok on public sector devices following advice from the National Cyber Security Centre (NCSC). The move followed similar restrictions in other European countries and in the US.

However, TikTok says that it hopes to convince policymakers that its tightened controls will reassure them on safety.

“All of these controls and operations are designed to ensure that the data of our European users is safeguarded in a specially-designed protective environment, and can only be accessed by approved employees subject to strict independent oversight and verification,” said Mr Bertram.

“In the coming months, TikTok and NCC Group will engage with policymakers across Europe to explain how this comprehensive system will work in practice.”