Theo Bertram, Vice-President Public Policy Europe at TikTok has shared an update on Project Clover, their programme to build a specially-reinforced protective environment around European user data.
For sake of clarity, ‘European’ refers to EEA countries, the UK and Switzerland
Data Storage
TikTok have committed to storing European user data locally by default, by establishing three new data centres in Europe. Their first data centre in Dublin, Ireland, is now operational and migration of European user data to the centre has begun. The other two data centres in Norway and Ireland are under construction.
Third-Party Oversight
TikTOk have engaged a third-party European security company to independently audit their data controls and protections, monitor data flows, provide independent verification, and report any incidents. They have announced that NCC Group will conduct this oversight of their data security measures.
NCC Group is a globally respected, long-standing cybersecurity company with offices across Europe, including Germany, Portugal, the Netherlands, Spain, Denmark and the UK. Teams from several European offices and the UK will work on this programme. The NCC Group is TIBER-EU accredited and a UK National Cyber Security Centre (NCSC) approved CHECK company.
Enhanced Data Controls
As the independent security provider, NCC Group will monitor data coming in and out of the secure environment to independently validate that only approved employees can access limited data types. NCC Group will perform ongoing security assessments of the new security gateways they are building around European user data, the TikTok app, data centres, and other TikTok infrastructure.
NCC Group will also serve as a managed security services provider for our security gateways, performing real-time monitoring to identify and respond to any suspicious or anomalous access attempts and provide assurance on the integrity of the enhanced security controls operations. They will validate that network traffic of TikTok’s European user data must pass through the security gateways.
All of these controls and operations are designed to ensure that the data of TikTok’s European users is safeguarded in a specially-designed protective environment, and can only be accessed by approved employees subject to strict independent oversight and verification.
In the coming months, TikTok and NCC Group will engage with policymakers across Europe to explain how this comprehensive system will work in practice.
We’re proud that TikTok has recognised NCC’s cyber security track record and expertise and chosen us as the independent third-party security provider on this project. Our objective scrutiny, monitoring and assurance means platform users in Europe and the UK can have confidence in the enhanced data security standards that TikTok is setting, which go above and beyond European regulatory requirements.
– Stephen Bailey, Global Director of Privacy, NCC Group