TikTok has once again made headlines after the European Union privacy watchdog imposed a 530 million euros ($600 million) fine, highlighting that the platform’s transfer of user data to China has violated EU data protection laws.
Notably, the Ireland’s Data Protection Commission (DPC) imposed a fine on TikTok this Friday, followed by a four-year investigation into the company’s handling of European users’ personal data. The EU body jas also ordered the video-sharing app to bring its practices into compliance within six months.
Ireland’s DPC leads TikTok’s regulatory oversight in the EU, as the company’s European headquarters are based in Dublin.
“TikTok failed to verify, guarantee, and demonstrate that the personal data of European users, accessed remotely by staff in China, received a level of protection essentially equivalent to that guaranteed within the EU,” said Deputy Commissioner Graham Doyle.
The probe, launched in September 2021, concluded that TikTok was not transparent with users about where their data was being processed, and had failed to disclose that personnel in China could access data stored in Singapore and the United States. The platform’s privacy policy at the time did not specify China or other third countries as destinations for user data—a gap the regulator said breached EU rules.
How to TikTok responded to the ruling
TikTok’s parent company, ByteDance, is headquartered in Beijing. In response to the ruling, TikTok announced plans to appeal, criticising the decision for focusing on a “select period” ending in May 2023, prior to its “Project Clover” data localisation initiative.
Project Clover, which involves constructing three European data centres, was designed to strengthen data protections. Christine Grahn, TikTok’s European head of public policy and government relations, said the initiative includes “some of the most stringent data protections anywhere in the industry” with independent oversight by cybersecurity firm NCC Group.
“The decision fails to fully consider these considerable data security measures,” Grahn added.
TikTok has faced mounting scrutiny from Western governments over fears that user data could be accessed by Chinese authorities under China’s national security and intelligence laws. The Irish regulator’s findings stated that TikTok had failed to address the risk of “potential access by Chinese authorities,” under laws that “materially diverge” from EU data protection standards.
However, Grahn insisted that TikTok “has never received a request for European user data from Chinese authorities, and has never provided European user data to them.”
Challenges for TikTok
Compounding the company’s challenges, the DPC revealed TikTok provided inaccurate information during the investigation. While TikTok repeatedly claimed that European user data was not stored on Chinese servers, the company only disclosed in April that it had discovered in February that some data had, in fact, been stored in China.
Doyle said the regulator was “taking these developments very seriously” and considering further regulatory action.
The penalty adds to a string of fines for TikTok in Europe, including hundreds of millions of euros levied last year over violations related to children’s data.
Under the EU’s General Data Protection Regulation (GDPR), personal data can only be transferred outside the bloc if equivalent safeguards are in place to protect it. TikTok’s failure to meet these requirements has reignited debate over data transfers involving companies with links to China.
(With inputs from PTI and AP)
