On Friday, TikTok, a short video app, was fined 530 million euros (6 billion dollars) by the European Union privacy regulatory authority for transferring EU users’ data to China.
As TikTok’s European headquarters are located in Dublin, the Irish Data Protection Commission (DPC) has become the primary regulatory authority for TikTok within the EU. After a four-year investigation, the DPC found that TikTok’s data transmission to China posed a surveillance risk to EU users, which violated the EU’s strict data privacy regulations.
In a statement, the DPC said that TikTok, a Chinese company owned by ByteDance, violated the General Data Protection Regulation (GDPR) by transmitting personal data to China. TikTok failed to verify, ensure, and demonstrate that the protection level of European users’ personal data accessed remotely by Chinese employees was equivalent to that of the EU. Additionally, TikTok did not address the issue of potential access to EU users’ data by the Chinese authorities under Chinese espionage laws and other regulations. These Chinese laws were deemed to have “substantial differences” from EU standards.
Furthermore, the DPC discovered that despite TikTok claiming not to store EU user data on servers in China during the four-year investigation, a limited amount of data was found to be stored in China in February of this year, which was later deleted.
The DPC imposed sanctions on TikTok for the lack of transparency regarding the location of data processing for user personal data. TikTok was ordered by the DPC to ensure its data processing compliance with EU regulations within six months. Failure to comply by the deadline would result in the suspension of data transfers from TikTok to China.
TikTok strongly opposed the DPC’s investigation findings, stating that the company has strictly controlled and limited remote access using the EU’s own legal framework, particularly the Standard Contractual Clauses. TikTok plans to appeal the decision.
TikTok has experienced rapid growth among global youth in recent years, with 175 million users in Europe. TikTok argues that it has never received requests from the Chinese authorities for EU user data nor provided data to Chinese authorities.
ByteDance, TikTok’s parent company, is headquartered in China. Due to concerns from Western governments about potential security risks associated with TikTok transmitting user data to China, the company has faced scrutiny regarding how it handles user personal information. This is the second time TikTok has been penalized by the DPC. In 2023, the company was fined 345 million euros for breaching EU privacy laws regarding the processing of children’s personal data.
The Irish privacy regulatory authority holds significant power, as many top global tech companies have regional headquarters in Ireland, making this authority a key regulator within the EU.