TikTok has officially confirmed that some employees outside the continent, including in China, can access the data of individuals using the app in Europe.
The news comes from the social media giant’s head of privacy in Europe, Elaine Fox, who has said access for staff in China was necessary to guarantee the app’s correct functionalities.
“Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognized under the [general data protection regulation] GDPR, we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States, remote access to TikTok European user data,” Fox explained.
The move is bound to send ripples across the regulatory community, as TikTok was already under scrutiny in Europe and the US over concerns that user data could be passed to the Chinese state. TikTok has so far denied the claims, so Fox’s words may now be seen as a U-turn.
“The changes to their privacy policy by TikTok to reflect their actual engineering and fraudulent account practices should be commended,” Claude Mandy, chief evangelist for data security at Symmetry Systems told Infosecurity.
According to the executive, the new TikTok privacy policy should clarify how many employees have this level of access and how much information from how many TikTok users will be viewed per the new policy.
“It is only with modern data security practices that monitor actual operations in accordance with their privacy against personal information that TikTok will be able to provide sufficient transparency like this to privacy regulators, users and governments that they are truly privacy-conscious,” Mandy added.
At the same time, Fox has said the new privacy policy will specify that the company won’t collect “precise location information” from users in Europe, as opposed to the current policy, which states: “With your permission, we may also collect precise location information (such as GPS).”
The new rules will be applicable from December 2, according to the social media company. Their publication comes two months after Microsoft found a vulnerability in TikTok’s Android app, which could have allowed attackers to hijack user accounts remotely.