TikTok better hope this report is true.
The platform has finally issued an update on its "Project Clover" data separation project, intended to ensure that European user data is not being accessed by China-based employees and officials, following the forced suspension of operations in India.
Which it says is now largely in effect.
We've already been building additional protections around our European user data under the banner of our industry-leading initiative Project Clover. Those include security gateways further limiting access. We're now pleased to announce that the gateways related to employee access to data and data transmission have launched and are in effect. These enforce technical protocols so that only approved employees can access certain types of data. For example, since last summer, new security protocols have been in place designed to ensure that restricted data stored in our new European data enclave, such as private videos and phone numbers, cannot be accessed by employees based in China."
So on the content front, that covers private videos, which are a minority of TikTok uploads. But what about public posts?
We're also applying pseudonymisation technologies so that allowable data types will only be de-identified before China-based employees can access them. These are data, for example, like public videos or a user's privacy settings, which must flow internationally for our app to work as well as for our 150 million European users to participate in the global TikTok community.
And so, as things stand, China-based TikTok staff or staff from parent company ByteDance can gain access to European TikTok user data, and it seems a lot of it but will be hidden from view as new processes ensure that individual user data is not re-shared back into China.
Which seems to align with data regulations in the EU, but may also miss a key point in that perhaps TikTok is not being used necessarily as a data-gathering tool, but more of a propaganda platform, where messages can be seeded to Western users that are pro-China.
Which is still a contentious element, and there's no definitive evidence to suggest that ByteDance is manipulating user feeds in any way to promote or quash certain narratives. But given that ongoing China-based influence operations are attempting to do this in other big social apps, it seems likely that TikTok could be a vector for the same, and Project Clover won't necessarily protect against such, based on this overview.
However, TikTok also suggests expectations of EU officials by pointing out that its code has been audited by cybersecurity firm NCC Group and will audit its further code changes over time.
TikTok further adds it is building three new data centers in Europe to host the EU user data, two are already active-Norway and Ireland-while the third will come next year.
So, more broadly, TikTok is establishing a more secure environment for managing EU user data, free from the parent company itself located in China, to meet the demands of the EU and avoid being forced to sell into the region, similar to what has been done in the U.S.
But there is a case to be made that the speculative risk of TikTok remains, especially when you also take into account that EU cybersecurity officials specifically pointed to Chinese influence activity in the run up to their elections this year.
So while Project Clover may address some of the core elements of data sharing within the app, I don't think it will silence all the related concerns centered around the app.
If TikTok eventually leaves the U.S., I can only assume that there would be further pressure to do so in other parts of the world as well.