Elaine Fox, head of privacy for Europe at TikTok, tells SiliconRepublic.com how the company is trying to be more transparent than other tech firms in order to stay ahead of the curve amid stricter EU regulations.
TikTok, like many other tech platforms operating in Europe, has been stepping up its efforts to fight disinformation and harmful content on the app ahead of local and EU elections on 7 June.
This push is partly informed by its own understanding of the impact bad actors can have through large social media platforms and partly thanks to tough EU rules such as through the Digital Services Act (DSA) and, more recently, the AI Act.
But despite its best efforts, including launching election centres on the app to provide vetted information ahead of the polling date and employing more than 6,000 moderators, TikTok believes the narrative around its handling of data privacy and misinformation has been somewhat “unfair”.
“Sometimes some of the concepts are quite hard to describe and explain,” said Elaine Fox, head of privacy for Europe at TikTok, speaking to journalists at a press briefing in Dublin this week.
Fox was referring to mechanisms relating to Project Clover, a sweeping set of measures taken by the ByteDance-owned company to ensure European user data remains in Europe through a €12bn investment and the establishment of three new data centres, two in Ireland and one in Norway.
“So I think when we’re dealing with our industry experts and the regulators and those who would have very deep understanding of the subject matter, I think it’s probably easier,” Fox added.
“We have a huge commitment to data privacy in the region, built out of my team – a majority of which are in Dublin – but also spread across Europe. And there are many teams in TikTok all working together… This type of collaboration is seen across the business in terms of our privacy as well. It’s our top priority for the business and just something we’re going to have to continue.”
Who has access to EU user data?
Some of these concepts include distinctions TikTok makes between different types of user data and what can or cannot be accessed by global teams like, for instance, employees based in China (where ByteDance is headquartered).
Currently, TikTok said user data is stored across data centres based in the US, Singapore and Malaysia. Once Project Clover is complete, the idea is that European user data would be stored across the three EU data centres – the first of which is already operational in Dublin.
‘Teams globally will still have access to user data, but in an as-needed basis subject to multi-tiered approval’
– ELAINE FOX
When asked by SiliconRepublic.com about who has access to the data currently, TikTok stressed that employees based in China have no access to private personal data belonging to EU residents.
“We’re one of the only companies to list the countries specifically where the global teams are based who have access to user data. We took that step even though other companies weren’t doing it because we really wanted to be open with users to try and help explain how we keep the app running, where we have teams and things like that,” Fox explained.
“In the context of Project Clover, teams globally will still have access to user data, but in a kind of as-needed basis subject to multi-tiered approval. The actual specific teams will be approved and reviewed then by our information security team and the NCC.”
Based in the UK, the NCC Group is a cybersecurity firm that has been selected by TikTok to audit its data controls and protections, monitor data flows, provide independent third-party verification and report any incidents. Its inclusion is seen as one of the major pillars of Project Clover and its acceptance in Europe so far.
Navigating regulation in the EU v US
But for what TikTok deems to be public user data (such as aggregated metadata which does not fall under private data as defined by GDPR), Fox said that if engineers based in China needed access, the data would be completely “de-identified”.
“That’s where we’re using our privacy enhancing technologies to strip out any identifiers that may exist even in that aggregate data. So going beyond what is currently industry standard and going into those kinds of scenarios with interoperable data and aggregate data to ensure that it’s fully protected.”
‘We’re highly regulated in the EU. There’s the DSA, GDPR, DMA and now the AI regulation’
– SUSAN MOSS
And while TikTok has been faring better in Europe than across the pond, it nonetheless faces some regulatory turbulence here. In February, the European Commission opened an investigation into the app with around 150m users in the EU after suspecting it of being in breach of the DSA.
But the presence of consistent rules in Europe makes it easier for the platform to navigate regulation here than in the US, where it has currently locked horns with the US government over a potential ban if it does not divest from its parent company.
“We’re highly regulated in the European Union. There’s the Digital Services Act, the GDPR, the Digital Markets Act, now even the AI regulation. But in the US, some of their concerns could be addressed by implementing a federal privacy law,” Susan Moss, head of public policy and government relations at TikTok Ireland, told SiliconRepublic.com.
“I think the regulation means the focus is on the data being safe and secure, not necessarily the ‘where’,” added Fox. “So I think when you when you look at transferring data, it is about ensuring, demonstrating and being able to provide that evidence that the data is fully secure in terms of what is transferred everywhere – not just to China – as per the requirements of GDPR. So, it is broader than the kind of more, say, targeted issue which is in the US.”
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.