The European Union privacy watchdog fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation revealed that the app’s data transfers to China posed a risk of espionage, violating strict EU data privacy regulations. Ireland’s Data Protection Commission, TikTok’s lead data privacy regulator in the EU due to the company’s European headquarters in Dublin, found that TikTok was not transparent about where users’ personal data was being sent.
The investigation discovered that TikTok failed to ensure that European users’ data, which was remotely accessed by staff in China, was protected to the same standards required by EU law. Deputy Commissioner Graham Doyle explained that the company had not demonstrated that personal data was afforded equivalent protection to what is guaranteed within the EU.
In response, TikTok disagreed with the ruling and announced plans to appeal. The company argued that the decision pertains to a period ending in May 2023, before it initiated Project Clover, a data localization initiative involving the construction of three data centers in Europe. TikTok’s European head, Christine Grahn, stated that the project included strong data protection measures and independent oversight by a European cybersecurity firm, NCC Group. She criticized the decision for not fully considering these efforts.
TikTok has faced increased scrutiny in Europe due to concerns over its handling of personal data, especially with its Chinese parent company, ByteDance, potentially having access to this information. In 2023, the Irish regulator also fined TikTok over child privacy issues.
The investigation found that TikTok failed to address the risks of Chinese authorities gaining access to European user data under China’s laws related to counterespionage, national intelligence, and cybersecurity, which do not align with EU standards. While TikTok maintains it has never provided European user data to Chinese authorities, the watchdog raised concerns that the company had not adequately assessed data transfer practices or fully informed users about where their data was being processed. Specifically, TikTok’s privacy policy failed to mention that data was being transferred to China, and the company only disclosed in April that some European data had been stored on Chinese servers.
TikTok also faces additional scrutiny from the Irish regulator, which has expressed concern about inaccuracies in the company’s responses during the investigation. The regulator is now considering further regulatory action in light of the recent developments.
