TikTok has begun shifting European citizens’ user data to a newly operational site in Dublin as it moves to address western politicians’ concerns about Chinese state influence over the company.
The video-sharing app also announced that an independent UK-based cybersecurity company will vet any transfer of data outside Europe.
The Chinese-owned company said a datacentre in the Irish capital has now begun the migration of European user data, with two other datacentres in Norway and a second centre in Ireland to follow by the end of next year.
TikTok expects a full migration of personal data of users from the European Economic Area and UK by the end of 2024 to those datacentres, which will then be the default data location for users within this region. Currently, TikTok stores its global user data in the US, Malaysia and Singapore.
NCC group, a UK-based cybersecurity company, will independently audit TikTok’s data controls and protections, monitor data flows, provide verification and report any incidents.
Stephen Bailey, global director of privacy at NCC group, said: “We will be conducting security assessments of the TikTok platform, validating the type of data being transferred or accessed in the European datacentres and we will also be conducting security assessments of the TikTok platform from mobile iOS devices and android to look for security vulnerabilities or misconfigurations.”
The NCC is able to have discussions with national security or regulators without TikTok being involved.
The third-party oversight and new datacentres come after TikTok announced Project Clover in March, a data security programme to protect user information across Europe.
The US’s equivalent programme, Project Texas, will store data from American users within their own country on servers run by the tech firm Oracle.
The announcement of TikTok storing European user data locally follows global concerns and allegations over TikTok data being accessed or manipulated by the Chinese government, which TikTok denies.
Last year, TikTok told its European users that staff in China could access their user data to ensure their experience of the platform is “consistent, enjoyable and safe”.
TikTok has also made changes to its popular app as required by the EU’s Digital Services Act that calls for all large online platforms to share data with authorities. Changes include making it easier for European users to report illegal content, turning off personalised recommendations for videos and the removal of targeted advertising for users aged 3-17.
Theo Bertram, TikTok’s vice-president of public policy for Europe, said implementing data sovereignty was a “really significant area of investment in our company” and the platform had made “substantial progress” on Project Clover.
He added: “What we heard from the commission is that they are taking action about a fear of things that can happen instead of things that have happened and it is not enough for us to say: ‘Trust us are keeping data secure’ – which is why we have brought in NCC group so there is confidence in what we are saying and it being validated by an independent third party company.”
Elaine Fox, the platform’s head of privacy for Europe, said that when Project Clover is fully operational “personal data of EEA/UK users will go through additional security gateways before it can be accessed”. She added that TikTok stores its global user data in the US, Malaysia and Singapore with strict reviews on access permissions.