TikTok battles privacy concerns and espionage fears in Europe

Access to the comments Comments
By Jorge Liboreiro
TikTok is owned by the Beijing-based company ByteDance, a fact that has stoked fears of political interference.
TikTok is owned by the Beijing-based company ByteDance, a fact that has stoked fears of political interference.   -   Copyright  Martin Meissner/Copyright 2022 The AP. All rights reserved

Fame has often been described as a double-edged sword, with a delicate balancing act of perks and burdens, joys and woes, that can beguile and confound at equal rates. For TikTok, popularity is proving to be a formidable challenge, one that threatens to knock the company down from its absolute peak.

The video-sharing app, which became worldwide famous during the stay-at-home days of the COVID-19 pandemic and since then evolved into a powerful tech giant on par with Silicon Valley titans, finds itself under increasing scrutiny from legislators, policy-makers and journalists around the world, who worry about the undesired side effects of its astonishing rise.

TikTok CEO Shou Zi Chew this week flew to the Belgian capital for high-level meetings with several European Commissioners, including Margrethe Vestager, the executive vice-president who oversees the bloc’s digital agenda, and Věra Jourová, in charge of values and transparency.

The meetings, a European Commission spokesperson told Euronews, took place "at the request of the company" and focused on the obligations that will arise from the European Union's brand-new set of twin regulations, the Digital Services Act (DSA) and the Digital Markets Act (DMA).

"We are aware of the concerns related to the use of TikTok," the spokesperson noted.

Western regulators suspect TikTok, whose parent company, ByteDance, is headquartered in Beijing, has the potential to bring sensitive data from private citizens into the hands of the Chinese government and exploit its algorithm of content recommendation to spread communist propaganda.

Although the company has vigorously tried to counter these claims, a relentless series of media revelations continue to fuel the criticism, thrusting TikTok into the very realm of national security.

From Washington to Brussels, politicians now debate how to tackle the highly popular app, which for the time being operates mostly unencumbered all throughout the West.

"I count on TikTok to fully execute its commitments to go the extra mile in respecting EU law and regaining trust of European regulators," Věra Jourová said after the meeting with Chew, according to a short read-out.

"There cannot be any doubt that data of users in Europe are safe and not exposed to illegal access from third-country authorities."

'Zero requests' from China

The Brussels visit comes as TikTok steps up work on a make-or-break deal with American regulators that can prove user data is freed from Chinese interference. Failing to provide such vital assurance might push the administration of President Joe Biden to slap an outright ban or order a divestment from ByteDance.

The US Congress approved last month a measure to exclude TikTok from electronic devices used by the federal government, while Republican Senator Marco Rubio proposed a bipartisan draft law to introduce a nationwide ban on TikTok, a radical move that India made more than two years ago citing data compilation by "elements hostile to national security."

Neither TikTok nor ByteDance responded to requests for comment sent by Euronews. 

In previous statements to the media, TikTok has defended its independence from the Chinese government and insisted its data collection practices were in line with industry standards.

"Since beginning transparency reporting in 2019, we have received zero data requests from the Chinese government," a TikTok spokesperson told the Guardian.

But despite a flurry of statements, high-profile meetings, public outreach and intense lobbying, privacy and espionage concerns persist on both sides of the Atlantic.

In a privacy update released in early November, TikTok pledged new efforts to minimise data flows outside of Europe and store data locally. Data from TikTok users in Europe, which covers the EU, Norway, Iceland, Switzerland and the United Kingdom, is currently stored in the US and Singapore.

However, in that same privacy update, TikTok said that, due to the need of operating a "global platform designed for sharing joyful content," certain company employees in countries outside the continent would be granted "remote access" to European user data.

The list of ten countries included China.

Workers will manage this data, the company explained, "based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols," as well as through methods aligned with the EU's landmark General Data Protection Regulation (GDPR).

The on-the-record admission that China-based employees will access European data made international headlines and amplified long-standing concerns around ByteDance and the Chinese Communist Party.

"Regarding the issue of TikTok’s data processing practices, we of course expect all companies active in the EU to fully comply with EU data protection rules," a European Commission spokesperson told Euronews.

Lukasz Kobus/ EU
European Commission Vice President Vera Jourová met in Brussels with Shou Zi Chew, CEO of TikTok.Lukasz Kobus/ EU

'It would be a serious mistake to let it happen'

As a social media network, TikTok collects all sorts of data from its more than one billion users, which may cover content consumption, preferred categories, approximate location and IP address. This information is essential to feed the algorithm that powers the app and offers countless video recommendations.

In the midst of a geopolitical confrontation between the West and China, the risk that this highly valuable and sensitive user data could be end up in the inbox of the Chinese Communist Party has inevitably become a source of growing anxiety for Europeans and Americans alike.

Technology is one of the main factors that has for years stoked diplomatic tensions: Huawei, the Shenzhen-based telecommunications giant, saw its market opportunities dwindle after Western countries began digging deeper into the company's links with the Chinese government.

The suspicions led the likes of Sweden, Poland, Romania, Japan and Australia to block the company from rolling out the 5G network and building critical infrastructure. The US even prohibited the sale and import of new communications equipment manufactured by Huawei, ZTE and other three Chinese companies.

A similar pattern of mistrust emerges with TikTok, which has greater appeal and emotional attachment among the young population than any other Chinese corporation.

The concerns trace back to 2017 when the government of Chinese President Xi Jinping, whom critics blame for tightening the authoritarian screws within the country, issued a new law stating that "all organisations and citizens shall support, assist and cooperate with national intelligence efforts."

Crucially, the National Intelligence Law can compel Chinese companies and their subsidiaries operating "domestically and abroad" to hand over data to the Chinese government, if asked to do so.

"Once personal data is in the hands of a company that operates under Chinese jurisdiction, however, it is in practice very difficult from an EU perspective to prevent onwards transfer of that data to the Chinese government," Jan Penfrat, a senior policy advisor at European Digital Rights (EDRi), a Brussels-based human rights association, told Euronews.

"We must all think twice about the apps we use and try to avoid platforms with dubious data collection practices, in particular from companies driven by tracking advertising."

After TikTok proved to be more than a passing fad, the political spotlight sharply turned to its ballooning cache of personal data and the ever-looming shadow of the communist party.

In September 2021, the Irish Data Protection Commission (DPC) launched an inquiry into the transfers of personal data made by TikTok from Europe to China and compliance with the GDPR.

Like many other tech companies, TikTok has set up its European headquarters in Dublin, making the Irish body the one in charge of enforcing GDPR provisions. The GDPR empowers national authorities to impose hefty fines in case of non-compliance and mandate changes to corporate policy

A final conclusion can be expected in the second half of this year, an Irish spokesperson told Euronews.

'Everything is seen in China'

While TikTok awaits the findings from both European and American regulators, a series of media reports have added infused a new sense of urgency into the political conversation.

In June 2022, BuzzFeed revealed leaked audio from internal meetings that showed China-based employees of ByteDance had "repeatedly" accessed non-public data from American users, contradicting a sworn testimony from a TikTok executive before the US Senate.

"Everything is seen in China," a member of TikTok's Trust and Safety department is quoted as saying.

Following the BuzzFeed report, a group of five Members of the European Parliament sent a letter to European Commission President Ursula von der Leyen expressing their fears that a "gigantic" amount of data from EU citizens could be captured by the Chinese authorities.

"It would be a serious mistake to let it happen in a time of geopolitical repositioning for the European Union and its allies of the West," the five far-right lawmakers wrote.

In her written reply, von der Leyen said that, under the GDPR, any EU-based company "has to ensure that the level of data protection afforded in the EU is not undermined" by data transfers to countries outside the 27-strong bloc. This provision, the Commission chief noted, also applies to the access of data "by public authorities in the country of destination."

Weeks later, Forbes reported that TiKTok had spied on multiple journalists who were covering ByteDance by comparing their location information with that of workers suspected of acting as confidential sources. The hacking, which targeted the author of the BuzzFeed report, yielded no concrete results.

The company condemned the transgression and admitted personal data and IP addresses had been accessed by four ByteDance employees, two based in the US and two based in China, who were later fired after an internal investigation was conducted.

"The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals," ByteDance CEO Rubo Liang wrote in an email to employees.

"I believe this situation will serve as a lesson to us all."

This piece has been updated to include new reactions.