Recently, the European Union’s privacy regulators have for the first time targeted Beijing’s comprehensive surveillance law and made a ruling. This ruling could potentially sever data transfers between the EU and China in order to protect personal information in Europe.
On Friday, May 2nd, the Irish data protection authority, known as the Data Protection Commission (DPC), issued a massive fine of 5.3 billion euros against the social media platform TikTok, ruling that it illegally transferred data to China and could not guarantee that this data would not be subject to monitoring by the Chinese government.
TikTok, owned by the Chinese company ByteDance, has been given six months to make its data processing compliant. Additionally, if TikTok fails to make its data processing compliant within this time frame, the decision also requires TikTok to halt data transfers to China.
This ruling represents a watershed moment in Europe’s stance on Beijing in terms of EU data privacy rules, and it has significant implications for companies transferring personal data from Europe to China.
Joe Jones, research director of the International Association of Privacy Professionals (IAPP), stated that Friday’s ruling signifies a “ratcheting up” of pressure on data flows to China. The association represents professionals in the global privacy sector.
Jones said, “The EU has been locked in disputes over data transfers with the UK and the US for over a decade. This is the first time we have seen significant measures taken against a country outside of the Transatlantic triangle, and that country is China.”
Due to legal protection controversies surrounding the transfer of personal data across the Atlantic between Europe and the US, most of the high-level enforcement of the EU’s General Data Protection Regulation (GDPR) has so far been focused on American tech giants.
In the past, China’s surveillance measures and data privacy vulnerabilities had not faced direct challenges from the EU. However, with the increasing prominence and influence of large Chinese tech companies, the EU is now turning its attention to Beijing’s technological authoritarian tendencies.
Earlier this year, the Austrian data privacy organization “none of your business” (NOYB), founded by privacy activist Max Schrems, lodged complaints against six Chinese companies with European data protection authorities. These six companies included AliExpress, SHEIN, Temu, WeChat, Xiaomi, and TikTok.
Friday’s ruling by the Irish Data Protection Commission (DPC) marks the third-highest fine imposed by the EU for breaching data protection rules, highlighting fundamental conflicts between Chinese laws and European data protection principles.
TikTok has faced scrutiny in the US, with experts expressing concerns that it could potentially lead to American users’ data falling into the hands of the Chinese government.