by Elaine Fox, Head of Privacy, Europe 

TikTok's mission is to inspire creativity and bring joy. We do this by providing interconnected online experiences to people across the globe and, at the same time, offering them world-class privacy and security protections.

We previously set out a commitment to chart a new course for our industry when it comes to data security - and we're reflecting this in our evolving overall approach to European data governance. We believe in the importance of storing European user data in Europe; keeping data flows outside of the region to a minimum; and limiting the number of employees with any access to data only to those who need it to do their job. We're also continuously reducing both the scope of access such employees have, as well as the number of business functions that need this access in the first place.

I would like to set out in more detail our European data governance work, as well as how we're approaching the critical topic of data sovereignty.

Leaning local to protect European data

Last year, we announced our plans to establish a data centre in Ireland. Despite the challenges of the Covid-19 pandemic, we've made meaningful progress on this project from a legal, operational and technical perspective. We now anticipate that the data centre will be operational by late 2022. This data centre will then store all European user data, a commitment that puts us at the forefront of our sector. We're also developing in-market technical expertise, specifically, a dedicated team with deep industry knowledge and experience engaging local partners, to drive forward our plan.

Embracing such local expertise is illustrative of our approach to business in Europe. Over the past 18 months, we've established and rapidly scaled our European Privacy and Data Protection team and our Office of the Data Protection Officer, hiring highly skilled privacy professionals dedicated to working on user data protection. In addition, we made our Irish and UK offices the data controllers for EEA and UK users, giving them decision-making power over what happens with users’ personal data, how it is processed and protected.

We also recently announced our Fusion Centre in Ireland, which will further advance our local on-platform threat discovery capabilities to protect our community. We're creating over 50 highly specialised roles to strengthen our ability to identify, evaluate and ultimately eliminate risks to people on TikTok.

Safeguarding data transfers

We're mindful of the overall trend towards data sovereignty in Europe, particularly following last year's ruling of the European Court of Justice in the Schrems II case. TikTok is aligned with this direction, and we believe the steps we're taking will strengthen our approach to supporting these objectives and give users increased confidence in our commitment to a strong European data protection regime. We're already investing substantial time and effort to ensure that our practices are aligned with evolving guidance from institutions including the European Commission and the European Data Protection Board.

It's vital in this context to reflect on the importance of interoperability and preserving what is today a global entertainment platform that brings joy to people around the world - and allows our creators to benefit from being able to reach audiences in the more than 150 markets where TikTok is available. Some data transfers remain necessary to support this global community - including in Europe - and make their experience of TikTok enjoyable and safe.

We've implemented extensive policies and controls to safeguard user data. We rely on approved methods for data being transferred from Europe, such as standard contractual clauses. In addition, we employ a range of complementary technical, contractual and organisational measures so that in instances where user data access is required, it's afforded an equivalent level of data protection to that in the EEA and the UK. This means in practice that any personal data is protected through a robust set of physical and logical security controls, along with various policies and data access controls for employees.

We also have a defined process set out in our Law Enforcement Guidelines for any user data requests from law enforcement agencies and other relevant authorities in countries where TikTok is available. The number of such legal requests made and countries making those requests are included in our bi-annual Transparency Reports.

Striking the right balance

Running a global platform, while also being sensitive to European objectives on data sovereignty, requires thoughtfulness and balance. We are striving to give users the confidence that their data and privacy are highly protected. At the same time, we believe that it's important that measures be taken to avoid the creation of digital "islands" that would diminish opportunities for European creators.

Our work is ongoing and has no finish line - we'll continue to drive forward our local data storage strategy and implement more features and controls to safeguard European user data, further minimise data transfers and enhance personal data protections.