BEIJING, March 9 (TMTPOST) – China-owned short video app TikTok on Wednesday unveiled a series of data security measures codenamed “Project Clover” in response to tightening European regulations on data security.
Under “Project Clover,” TikTok will take data protection measures stricter than the requirements of existing EU laws. TikTok will also invest 1.2 billion euros in the construction of three new data centers that store TikTok user data locally in Europe, operated by third-party service providers. Two data centers will be located in Ireland and the third one in Norway.
TikTok, which has been under close scrutiny in Europe, the United States and Canada, will also introduce secure gateways to restrict employees from accessing or transferring TikTok’s European user data, requiring that data access should not only conform to relevant data protection laws, but also pass through the secure gateways and additional checks. The gateways will be overseen by a third-party European security company, which will audit TikTok’s data controls and protections, monitor data flows, provide independent verification, and report any incidents.
Meanwhile, the short video platform also plans to work with third parties to enhance privacy protection, such as pseudonymization of personal data, which will make it impossible to identify individuals without additional information. These privacy protections will be implemented in 2023 and 2024.
Under increasing regulatory pressure in Europe, TikTok has been banned from the employees’ cell phones by the European Council, the European Commission, and the European Parliament, with an estimated 43,240 employees affected. An announcement issued by the European Commission on February 23 said the blocking of TikTok was aimed at protecting the Commission from cybersecurity threats and that it’s necessary to respond to potential cyber alerts as early as possible. Meanwhile, the European Commission will monitor security developments of other social media platforms.
Previously, the EU nations had launched a data protection investigation into TikTok. On September 14, 2021, the Irish Data Protection Commission (DPC) launched two investigations into TikTok’s compliance with the EU General Data Protection Regulation (GDPR). It investigated TikTok’s platform settings for users under the age of 18 and age verification measures for users under the age of 13. Besides, the DPC probed the platform’s transfer of personal data to China, and its compliance with the GDPR’s requirements for transferring personal data to third countries. In September 2022, the DPC submitted draft findings, but has not yet announced the formal results.
Similar to Project Clover, Project Texas has also been launched by TikTok, a data security project in the U.S. ensuring that all U.S. user data is by default stored in the cloud of Oracle, a U.S. company. To further strengthen this, the platform also negotiated with the Committee on Foreign Investment in the United States (CFIUS) to ensure that only authorized employees can access U.S. user data from Oracle’s cloud.
Recent negotiations between TikTok and CFIUS have resulted in the separation of TikTok from the U.S. company, which will have an independent board of directors nominated by TikTok and vetted by the U.S. government. Following a request by the U.S. Congress, the White House asked the federal government to uninstall TikTok on February 27. In response to U.S. regulatory pressure, TikTok is improving its technology to comply with the U.S. government’s data localization requirements, while engaging in lobbying and public relations efforts to prevent further deterioration of U.S. regulatory policies.