Irish data protection authorities have fined TikTok €530 million for breach data privacy rules in transferring European users’ personal data to China, following a lengthy investigation.
The fine is one of the largest ever imposed by the Data Protection Commission, after the €746 million penalty levied on Amazon and €1.2 billion against Facebook owner Meta Platforms.
TikTok said it would be appealing the decision, and warned it would have far-reaching implications for other companies.
The DPC investigation found Chinese-owned Bytedance breached General Data Protection Regulation (GDPR) in sending the information to China to be accessed by engineers.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA (European Economic Area) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said DPC deputy commissioner Graham Doyle.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
Bytedance owned TikTok said the DPC’s decision failed to give adequate consideration to Project Clover, which was implemented in 2023 to protect European user data and store it by default in a dedicated European data enclave.
100 days of Trump: “It’s like The Karate Kid, tax on, tax off, tariffs on, tariffs off”
“The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm,” Christine Grahn, TikTok’s head of public policy and government relations in Europe said. “The decision fails to fully consider these considerable data security measures.”
The company also said it was “disappointed to have been singled out”, and that it relied on the same legal mechanism employed by thousands of other companies providing services in Europe.
The investigation also examined whether the provision of information to users in relation to the transfers met TikTok’s transparency requirements as required by the GDPR. It found TikTok had also infringed GDPR on that count.
“Like many organisations that operate globally, TikTok has used the EU’s own legal framework, specifically, Standard Contractual Clauses to grant tightly controlled and limited access to employees in countries without data adequacy agreements,” TikTok said.
“This approach is in line with the rules established by the European Union (EU), and we have consistently been transparent about our practices.”
The DPC also ordered TikTok to bring its processing into compliance within six months, saying it would suspending TikTok’s transfers to China if that timeframe was not met.
Although TikTok had initially told the DPC it did not store EEA user data on servers located in China, the privacy watchdog said last month the video sharing platform said it had discovered in February that “limited” data of European users had been stored there.
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously,” Mr Doyle said.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
