When Grant Shapps was appointed as the UK’s defense minister this month, one of the first questions he faced was about his social media use. Shapps, previously energy minister, was one of the most prolific users of TikTok in the British government, and military experts and the media wanted to know whether he had the app on his phone. It’s already banned from official devices in Parliament. And the UK isn’t the only country that has grown increasingly nervous about the security risks of TikTok.
This year, one nation after another has banned TikTok from devices used by government staff and elected officials. Citing unspecified “national security risks,” the European Commission, European Union, and European Parliament introduced a ban on officials’ devices in March. The parliament later called on member states to do the same.
The reason for such circumspection across Europe? The thing that has blighted TikTok throughout its existence: It is owned by ByteDance, which is registered in the Cayman Islands, but whose management is based in Beijing. That connection to China, and the perceived risk—despite denials from TikTok representatives—that the company would have to accede to Chinese state demands to share data with the Communist Party government, have raised fears.
To try to reassure European governments, TikTok is spending €1.2 billion ($1.3 billion) to build three new data centers—two in Ireland and one in Denmark—which means that, by the end of 2024, the data of users in the EU data won’t leave the jurisdiction. The data centers are part of a broader initiative that includes opening a European “transparency center” that regulators will be able to visit to learn more about how the app works. TikTok has also appointed an external consultant, UK-based NCC Group, to provide an independent assessment of its cybersecurity.
The plan, which TikTok calls Project Clover, is a hugely expensive, and very visible, attempt to prove that the platform is neither breaking EU laws on data transfers nor sending sensitive user data to China. “We believe that this is genuinely industry-leading,” says Theo Bertram, TikTok’s vice president of public policy in Europe. “No one else has done something like this.”
But it may not be enough. Suspicion of Chinese technology runs deep in some parts of the EU and in the UK, where senior intelligence officials have warned about Beijing’s growing threat in cyberspace.
“I don't really know how this plays out,” Sam Sharps, executive director of policy at the Tony Blair Institute for Global Change, says. “And whether the reassurances they give—even if today, they meet the best standards of investigations of data protection authorities around Europe—are at a political level going to be enough.”
TikTok has around 150 million users in Europe, many of whom are committed to the short-form video platform, spending around 90 minutes or more on the app every day, according to the company’s own data. It’s hugely popular, with a younger, more dedicated user base than competitors in the social space.
Yet the threat of a ban constantly looms over the app, in part because of those longstanding Chinese connections. Although the app is a separate one to the one available in China, called Douyin, it shares some features in addition to that tricky parent company. While TikTok has spent significant time and effort building up staff in its operating countries to localize the app, ByteDance’s management remains in China. Although the company claims no identifying data travels to its headquarters in Beijing, there are concerns among China skeptics that the country’s telecoms and national security laws would mean it would have to snoop on users if asked. (TikTok denies it has ever been asked to do so, and says it wouldn’t if asked.)
“TikTok poses several unacceptable risks for European users, including data access by Chinese authorities, censorship, and the tracking of journalists,” says Moritz Körner, a German member of the European Parliament.
In the US, there is a bipartisan consensus “that China is [the] country’s greatest threat,” says Anupam Chander, professor of law and technology at Georgetown University, which has led to calls to outright ban TikTok and other Chinese-owned technology platforms. In response, TikTok launched Project Texas, which is similar to Project Clover, onshoring data, opening a transparency center, and appointing Oracle as an independent auditor with oversight of its data. The project has led to disputes, including with the Chinese government, over who gets to scrutinize the app’s algorithm, which is its main point of differentiation to competitors, according to reports by Forbes. The US government has suggested that it might force a sale of TikTok to separate it from its Chinese parent; the Chinese government says it won’t let that happen.
“Project Clover is a step in the right direction, but it does not ensure that European data, requested by Chinese authorities, will not in the end be transferred to China,” says Körner. “Just like US Big Tech companies, TikTok is trapped between diverging legal requirements. It has to obey Chinese law while also attempting to obey EU law.”
While some countries have taken a lighter touch toward TikTok, the European Commission, European Parliament, and EU Council have all banned TikTok from being used on official devices of parliamentarians and their staff, as have several countries within the bloc, including Belgium and Denmark. In Norway, which is not in the EU but is a member of the European Economic Area, government officials and parliamentarians are banned from having TikTok on their devices.
TikTok’s efforts to ring-fence European data will be pointless if it can’t convince the skeptics.
“Until there is no legally enforceable data protection agreement between China and the EU, or at least an EU–China no-spying agreement, the data dragon TikTok must be placed under the constant surveillance of the European authorities,” says Körner. “Mobile phones are critical infrastructure. While the cybersecurity concerns remain, TikTok should be banned from the devices of European political and economic decisionmakers.”
And for European policymakers, China isn’t the only concern. While all the European user data involved in Project Clover is to be migrated to European data centers, it’s currently being held in what TikTok calls a “European enclave” in the United States as an interim measure. While covered under rules allowing European-to-US data transfers, the reliance on sending European users’ data to the US may give some pause at a time when they’re already skeptical.
On a recent media call about Project Clover, TikTok representatives faced questions about whether their actions were enough to convince European politicians to wind back bans on the app. “The next stage is to have those conversations with governments,” says Bertram, who added he was “keen” to have those discussions. “We’re very happy to engage and get feedback from security experts around the region, including government,” he adds, “and we want to make sure those experts understand what we’re doing and we hope it’ll satisfy their concerns.”
There is a performative element to TikTok’s investments in European infrastructure; according to Sharps, Project Clover has an element of PR promotion to it. “They’re saying: ‘We are a totally normal business, we’ve got this governance structure, we abide by all the rules, and we can go out of our way to reassure people around our data protection policies,’” he says.
But Sharps also believes there’s a genuine motivation behind it. “They’re trying to put their money where their mouth is, and seriously investing in European countries, and trying to build these new governance structures.”
Still, he isn’t sure it’s going to be enough. TikTok’s situation has echoes of hardware giant Huawei’s travails, after the US began a concerted global campaign to get countries to remove its telecoms equipment from their networks, over espionage concerns.
“Huawei spent a decade going through all these processes of massive investment in PR and communications, and telling everyone [it was] a very normal business and putting in place particular processes for putting it in the UK, which was subject to all these additional checks,” Sharps says. “And in the end, it sort of just didn't work."
