TikTok privacy update in Europe confirms China staff access to data as GDPR probe continues

An incoming privacy policy change announced by TikTok yesterday for users in Europe -- which, for the first time, names China as one of several third countries where user data can be remotely accessed by "certain" company employees to perform what it claims are "important" functions -- has landed months ahead of expected movement on a year+ long investigation into the platform's data exports to China under the bloc's General Data Protection Regulation (GDPR).

The GDPR probe into the legality of the video sharing platform's data transfers to China is being led by Ireland's Data Protection Commission (DPC), TikTok's lead privacy regulator in the region, which opened the inquiry just over a year ago. The DPC told TechCrunch today that it expects its TikTok data transfers inquiry to progress to the next stage in the coming months -- with a draft decision slated to be sent to other EU DPAs for review in the first quarter of next year.

This 'Article 60' review process could lead either to an affirming of Ireland's draft decision -- which would then, in relatively short order, allow for a final decision to be issued (potentially before the middle of next year, judging by past inquiry timelines). However if other EU regulators raise objections to Ireland's draft decision the inquiry would have to move to an 'Article 65' dispute resolution process -- which could add many more months to the process before a final decision could be issued as the bloc's regulators seek consensus.

It's not clear whether TikTok's announcement of the privacy policy tweak relates to this overarching GDPR investigation. The incoming changes -- which are due to apply from December 2 -- do also include an update on how the platform collects users location information so they are not wholly focused on data transfers.

But the disclosure of China staffers accessing European user data could also be a not-very-subtle attempt to preempt regulatory enforcement over its data transfers -- and try to soften a future blow by being able to point to steps already taken to improve its transparency with European users. (Not that that is the only potential issue of regulatory concern vis-a-vis data exports, though.)

A spokesman for TikTok declined to comment on whether its updated privacy policy is in any way linked to the GDPR inquiry -- saying it could not do so as the inquiry remains ongoing.

However in a blog post announcing the update, the company claimed the changes "include greater transparency into how we share user information outside of Europe".

That's notable because transparency is a key principle of the GDPR -- while infringements of the transparency principle can lead to stiff penalties (such as the $267M fine for Meta-owned WhatsApp last year, after an Ireland-led inquiry found a string of transparency breaches).

Claiming you're being transparent and actually being transparent are not necessarily the same thing, of course. So it's worth noting that TikTok's updated privacy policy appears to atomize key bits of information -- such as the full list of countries where employees may remotely access European users' data and for what specific reasons -- across a number of collapsable menus and hyperlinks spread throughout the policy, thereby requiring a user to click around, follow multiple links and basically hunt for relevant intel amid a larger morass of data in order to piece together a comprehensive view of what's happening with their data (rather than clearly articulating and collating everything into a single, easy to digest view).

So, if it's transparency TikTok is really shooting for here it still looks like it has work to do.

Also still a work in progress for TikTok: A data localization project to store European users' data in the region -- which, earlier this year, it announced had been delayed again (until 2023).

Thing is, if TikTok intends to continue to allow employees located in countries with no EU adequacy agreement affirming they have essentially equivalent data protection standards as the bloc to have remote access to European users' information then questions over the legality of its international data transfers are likely to persist.

As well as China, TikTok's privacy policy names Brazil, Malaysia, Philippines, Singapore and the U.S. (which has only a preliminary agreement with the EU for a fresh data transfer agreement at the moment) as countries where employees have remote access to European user data without the cover of an adequacy agreement -- saying it's relying on standard contractual clauses (SCCs) for these transfers.

But, as the EDPB guidance on data transfers points out, each transfer to a third country must be individually assessed and some may not be possible legally, even with supplementary measures applied. So every single one of these transfers will need to stand up to regulatory scrutiny.

Given so many third country transfers, TikTok's European data localization project can only -- at least for now -- be considered a PR exercise. And/or an attempt to curry favor with local regulators in the hopes they take a kinder view of ongoing data exports. Unless or until it ceases data exports to third countries and finds a way to fully firewall its parent entity in China from being able to access any European users' data in the clear.

TikTok's spokesman declined to comment on any future plans it may have to further adapt its data transfers in light of these challenges but he pointed back to its blog post -- which describes its approach to data governance in Europe as being "centred on limiting the number of employees with access to European user data, minimising data flows outside of the region, and storing European user data locally."

TikTok's wider problem is that it's facing dialed up regulatory scrutiny across the Western world more generally as a result of security concerns attached to the Chinese state's ability to gain access to data commercial platforms/services hold on their users -- with national security laws in its home country overriding the usual standard contractual protections.

Its platform also collects an awful lot of user data -- which only fuels concerns about its capacity to be repurposed as a data honeypot for state surveillance or even for 'soft power' foreign influence ops.

While its tracking and profiling of users invites further specific regulatory headaches in Europe -- on the privacy and consumer protection side -- which are applying some limits on how it can operate.

For example, TikTok recently agreed to freeze a controversial change to the legal basis it relies upon to run targeting advertising after a formal warning from the Italian DPA -- and some follow-up "engagement" from the DPC -- over a plan to remove consent (and claim a legitimate interest to run targeted ads). So its profiling and ad targeting model is facing challenges on a number of fronts, even as it tries to defend its business against wider, geopolitical-related security concerns.