Ireland’s data protection authority imposed a record €530 million ($601.3 million) fine on TikTok for sending data of European users to China without a legitimate legal ground, one of the largest fines ever under the European Union’s tough data protection regime.
The Irish Data Protection Commission (DPC), the lead regulator of TikTok’s European operations, stated on Friday that the popular video-sharing application had made serious violations of the General Data Protection Regulation (GDPR), the EU’s broad privacy law that came into force in 2018.
TikTok Fined by EU Regulator Over China Data Access
In its probe, the DPC said that TikTok lacked proper safeguards in place when giving staff in China access to the personal data of users located in the European Economic Area (EEA). The regulator determined that TikTok could not prove that user data in Europe was treated with the same degree of protection as EU law dictates in China.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Graham Doyle, DPC deputy commissioner, in the regulator’s official release.
The probe uncovered an even more disturbing discovery: TikTok had given regulators false information when it earlier stated it hadn’t stored data of European users on servers in China.
Earlier this month, TikTok told the commission that it had found in February that certain European user data had actually been stored on Chinese servers, flatly contradicting its previous claims.
This misrepresentation has led the DPC to be considering further regulatory action, with Doyle saying the commission is considering the issue “very seriously” and is consulting other EU data protection authorities for further measures.
In addition to the hefty fine, the DPC has directed TikTok to get its data processing activities in line within a tight six-month deadline. Non-compliance would result in a ban on all data transfers to China, which would be a severe operational headache to the platform.
TikTok Faces Massive EU Fine Over Data Privacy Concerns
The firm, which is owned by Chinese tech giant ByteDance, has already indicated that it will be appealing the ruling in full. In a lengthy blog post reacting to the ruling, TikTok’s head of Europe public policy and government relations claimed that the ruling by the DPC did not take into consideration the recent enhancements that the firm has made to its data protection policies.
)
Grahn also noted that in spite of the worry of possible Chinese government access to information, “The DPC itself documented in its report what TikTok has repeatedly stated: it has never been asked for European user data by the Chinese authorities, and has never sent European user data to them.”
The fight demonstrates the persistent struggle between worldwide technology platforms and European privacy regulations, particularly for companies with Chinese connections.
European regulators have grown more and more concerned about the risk that personal user information may be exposed to foreign government access under local legislation that may clash with EU privacy standards.
TikTok has previously confirmed that employees in some countries, including China, are able to see information of users for operational reasons. In a 2022 update to its privacy policy, the company revealed that employees in countries where it has headquarters — China, Brazil, Canada, and Israel — are able to see data about users to ensure their experience “consistent, enjoyable and safe.”
This huge fine follows growing worldwide pushback against the data habits of TikTok and possible national security risks. In the United States, there has been proposed legislation that could possibly get the app removed, with other nations placing restrictions on its use on government devices.
Ireland’s regulator is especially important to EU privacy enforcement since some of the world’s largest tech giants, such as TikTok, Meta, Google, and Apple, have set up their European headquarters in Ireland and hence the DPC as their lead regulator under the GDPR’s “one-stop shop” regime.
