TikTok has been fined €530 million over illegal transfers of personal data from Europe to China in the latest rebuke of Big Tech by a European public authority.
The Irish Data Protection Commission (DPC) found on Friday that TikTok had infringed the EU’s General Data Protection Regulation (GDPR), and ordered the company to comply with the law within six months.
Personal data transfers from the EU to China are heavily restricted under the GDPR, as China is deemed to have an inadequate level of personal data protection. European regulators are particularly concerned by alleged links between the Chinese government and TikTok’s owner, the Beijing-based company ByteDance.
Friday’s decision marks the conclusion of an investigation launched in September 2021, in which TikTok had initially told the DPC it did not store users’ data on servers located in China. The DPC said TikTok informed them in April this year that this was inaccurate, and that the company had in fact found EU users’ data on China-based servers.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted,” the DPC’s deputy commissioner Graham Doyle said in a statement.
TikTok plans to appeal the decision and stated that it never received a request from Chinese authorities to access European user data, a company spokesperson told Euractiv.
In a statement, the company said the ruling could have “far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and that it “delivers a blow to the European Union’s competitiveness.”
TikTok has been working to repair its image on European data protection: it has pledged to invest €12 billion over a decade in three data centres in Norway – an initiative known as Project Clover – and last month announced plans for a fourth data centre, in Finland.
However, the company’s lack of transparency around data transfers has drawn criticism and scepticism from experts.
The Irish regulator was responsible for the investigation as TikTok’s EU base is in the country. The fine is the third-largest ever imposed on a company for a breach of the GDPR: Meta and Amazon have previously been fined €1.2 billion and €746 million, respectively.
TikTok’s fines under the GDPR now total €875 million, following a €345 million penalty in September 2023 for neglecting children’s data privacy.
TikTok is under close scrutiny by the European Commission in two separate cases relating to the EU’s landmark law on content moderation and disinformation, the Digital Services Act: one over alleged Russian interference in Romania’s presidential elections, and the other over child protection concerns.
(om)
