Yet the threat of a ban constantly looms over the app, in part because of those longstanding Chinese connections. Although the app is a separate one to the one available in China, called Douyin, it shares some features in addition to that tricky parent company. While TikTok has spent significant time and effort building up staff in its operating countries to localize the app, ByteDance’s management remains in China. Although the company claims no identifying data travels to its headquarters in Beijing, there are concerns among China skeptics that the country’s telecoms and national security laws would mean it would have to snoop on users if asked. (TikTok denies it has ever been asked to do so, and says it wouldn’t if asked.)
“TikTok poses several unacceptable risks for European users, including data access by Chinese authorities, censorship, and the tracking of journalists,” says Moritz Körner, a German member of the European Parliament.
In the US, there is a bipartisan consensus “that China is [the] country’s greatest threat,” says Anupam Chander, professor of law and technology at Georgetown University, which has led to calls to outright ban TikTok and other Chinese-owned technology platforms. In response, TikTok launched Project Texas, which is similar to Project Clover, onshoring data, opening a transparency center, and appointing Oracle as an independent auditor with oversight of its data. The project has led to disputes, including with the Chinese government, over who gets to scrutinize the app’s algorithm, which is its main point of differentiation to competitors, according to reports by Forbes. The US government has suggested that it might force a sale of TikTok to separate it from its Chinese parent; the Chinese government says it won’t let that happen.
“Project Clover is a step in the right direction, but it does not ensure that European data, requested by Chinese authorities, will not in the end be transferred to China,” says Körner. “Just like US Big Tech companies, TikTok is trapped between diverging legal requirements. It has to obey Chinese law while also attempting to obey EU law.”
While some countries have taken a lighter touch toward TikTok, the European Commission, European Parliament, and EU Council have all banned TikTok from being used on official devices of parliamentarians and their staff, as have several countries within the bloc, including Belgium and Denmark. In Norway, which is not in the EU but is a member of the European Economic Area, government officials and parliamentarians are banned from having TikTok on their devices.
TikTok’s efforts to ring-fence European data will be pointless if it can’t convince the skeptics.
“Until there is no legally enforceable data protection agreement between China and the EU, or at least an EU–China no-spying agreement, the data dragon TikTok must be placed under the constant surveillance of the European authorities,” says Körner. “Mobile phones are critical infrastructure. While the cybersecurity concerns remain, TikTok should be banned from the devices of European political and economic decisionmakers.”
And for European policymakers, China isn’t the only concern. While all the European user data involved in Project Clover is to be migrated to European data centers, it’s currently being held in what TikTok calls a “European enclave” in the United States as an interim measure. While covered under rules allowing European-to-US data transfers, the reliance on sending European users’ data to the US may give some pause at a time when they’re already skeptical.