With Project Clover, TikTok touts new EU data privacy and security efforts

TikTok is doubling down on its European charm offensive today as it looks to counter a rising tide of political discontent with the popular short-form video-hosting platform.

A new program called Project Clover will serve to create "a secure enclave for European TikTok user data," wrote Theo Bertram, TikTok's European VP of government relations and public policy, in a blog post.

TikTok, which claims more than 1 billion users globally, has been in the regulatory spotlight for a number of years already due to its ties with Chinese tech company ByteDance. Indeed, TikTok's trajectory of late suggests that some restrictions could be heading its way, with a group of U.S. senators this week unveiling bipartisan legislation that could allow the government to limit or ban foreign-based technologies such as TikTok, if deemed a national security threat.

Elsewhere, the European Commission last month ordered staff to remove TikTok from work devices, following shortly after the U.S. House of Representatives issued a similar ban.

And it's against that backdrop that TikTok is now looking to curry favor with European regulators with a swathe of commitments specific to the region, and addressing concerns over its data-harnessing practices in light of Europe’s upcoming Digital Services Act (DSA).

Data sovereignty

With Project Clover, TikTok is essentially bundling some previously announced initiatives alongside some new privacy and security efforts. We already knew that TikTok was planning some major infrastructure investments for Europe in terms of local data centers. The first of these was supposed to open for business in Ireland last year but has been hit with repeated delays, while the company recently announced plans for an additional two data centers in the region. We now know where they will be -- one will also be in Ireland, while the third will be deployed in Norway. The Norwegian data center, it said, will run entirely on renewable energy

Migrating data to European servers, a process TikTok says should finally start this year and continue into 2024, will be crucial to satisfying EU regulators, and it comes shortly after news emerged that staff in China could access European users' data.

With that in mind, Project Clover will also apparently usher in new data access and control processes including "security gateways" that determine which employees can access European TikTok user data. But perhaps more importantly here, TikTok said that it will engage an independent security company in Europe to audit its data controls and practices.

"We are in discussions with a third-party and will announce more details in due course," Bertram said.

On top of that, Bertram also noted that TikTok intends to partner with other third-parties on integrating "the latest advanced technologies" into its existing systems. This includes what is known as personal data "pseudonymisation," essentially making it more difficult to identify individual users in the event of a data breach.

"A dedicated internal team has been working on Project Clover since last year and we anticipate implementing these novel and industry-leading measures throughout this year and into 2024," Bertram noted.

While TikTok has arguably faced closer scrutiny due to the fact that its parent company is based in China, its announcements today are roughly in line with efforts being made by large technology companies elsewhere. Data sovereignty is ultimately the name of the game, whereby companies wanting to do business in Europe are expected to keep their data locally, and have measures in place to ensure that consumers and businesses know exactly what is happening with their data.

Last year, Microsoft launched Microsoft Cloud for Sovereignty for public sector customers, while it also recently kickstarted a multiyear rollout of a new EU data localization effort. Elsewhere, the likes of Google and Amazon's AWS have also been been touting their digital sovereignty credentials, with Europe typically serving as the main driving force.

"Project Clover reinforces our commitment to a European data governance approach that places the safeguarding of user data at its core and aligns with the principle of data sovereignty," Bertram said.