TikTok, the Chinese video sharing app that’s found itself at the center of a geopolitical power struggle which threatens to put hard limits on its global growth this year, said today it will build its first data center in Europe.
The announcement of a TikTok data center in the EU also follows a landmark ruling by Europe’s top court last month that put international data transfers in the spotlight, dialling up the legal risk around processing data outside the bloc.
TikTok said the forthcoming data center, which will be located in Ireland, will store the data of its European users once it’s up and running (which is expected by early 2022) — with a slated investment into the country of around €420M (~$497M), according to a blog post penned by global CISO, Roland Cloutier.
“This investment in Ireland… will create hundreds of new jobs and play a key role in further strengthening the safeguarding and protection of TikTok user data, with a state of the art physical and network security defense system planned around this new operation,” Cloutier wrote, adding that the regional data centre will have the added boon for European users of faster load times, improving the overall experience of using the app.
The social media app does not break out regional users — but a leaked ad deck suggested it had 17M+ MAUs in Europe at the start of last year.
The flipside of TikTok’s rise to hot social media app beloved of teens everywhere has been earning itself the ire of US president Trump — who earlier this month threatened to use executive powers to ban TikTok in the US unless it sells its US business to an American company. (Microsoft is in the frame as a buyer.)
Whether Trump has the power to block TikTok’s app is debatable. Tech savvy teenagers will surely deploy all their smarts to get around any geoblocks. But operational disruption looks inevitable — and that has been forcing TikTok to make a series of strategic tweaks in a bid to limit damage and/or avoid the very worst outcomes.
Since taking office the US president has shown himself willing to make international business extremely difficult for Chinese tech firms. In the case of mobile device and network kit maker, Huawei, Trump has limited domestic use of its tech and leant on allies to lock it out of their 5G networks (with some success) — citing national security concerns from links to the Chinese Communist Party.
His beef with TikTok is the same stated national security concerns, centered on its access to user data. (Though Trump may have his own personal reasons to dislike the app.)
TikTok has been taking steps to try to insulate its international business from US-fuelled security concerns — and also provide some incentives to Trump for not quashing it — hiring Disney executive Kevin Mayer on as CEO of TikTok and COO of ByteDance in May, and promising to create 10,000 jobs in the U.S., as well as claiming US user data is stored in the US.
In parallel it’s been reconfiguring how it operates in Europe, setting up an EMEA Trust and Safety Hub in Dublin, Ireland at the start of this year and building out its team on the ground. In June it also updated its regional terms of service — naming its Irish subsidiary as the local data controller alongside its UK entity, meaning European users’ data no longer falls under its US entity, TikTok Inc.
This reflects distinct rules around personal data which apply across the European Union and European Economic Area. So while European political leaders have not been actively attacking TikTok in the same way as Trump, the company still faces increased legal risk in the region.
Last month CJEU judges made it clear that data transfers to third countries can only be legal if EU users’ data is not being put at risk by problematic surveillance laws and practices. The CJEU ruling (aka ‘Schrems II’) means data processing in countries such as China and India — and, indeed, the US — are now firmly in the risk frame where EU data protection law is concerned.
One way of avoiding this risk is to process European users’ data locally. So TikTok opening a data center in Ireland may also be a response to Schrems II — in that it will offer a way for it to ensure it can comply with requirements flowing from the ruling.
Privacy commentators have suggested the CJEU decision may accelerate data localization efforts — a trend that’s also being seen in countries such as China and Russia (and, under Trump, the US too it seems).
EU data watchdogs have also warned there will be no grace period following the CJEU invalidating the US-EU Privacy Shield data transfer mechanism. While those using other still valid tools for international transfers are bound to carry out an assessment — and either suspend data flows if they identify risks or inform a supervisor that the data is still flowing (which could in turn trigger an investigation).
The EU’s data protection framework, GDPR, bakes in stiff penalties for violations — with fines that can hit 4% of a company’s global annual turnover. So the business risk around EU data protection is no longer small, even as wider geopolitical risks are upping the uncertainty for global Internet players.
“Protecting our community’s privacy and data is and will continue to be our priority,” TikTok’s CISO writes, adding: “Today’s announcement is just the latest part of our ongoing work to enhance our global capability and efforts to protect our users and the TikTok community.”