TikTok Fined €530 Million for GDPR Violations Over Data Transfers to China
The Irish Data Protection Commission (DPC) has fined TikTok €530 million for failing to ensure that personal data of European users sent to China is protected from access by Chinese authorities. As the regulator responsible for overseeing TikTok across the European Economic Area (EEA), the DPC found that the company did not adequately address the risk of Chinese government access to user data under Chinese laws that differ significantly from EU data protection standards.
The investigation revealed that TikTok did not verify or guarantee that the data transferred to China would receive the same level of protection as required under the EU’s General Data Protection Regulation (GDPR). The DPC highlighted that TikTok’s initial claims were misleading, as the company first denied storing EEA user data in China but later admitted to storing a limited amount of such data there. The regulator also noted that TikTok staff in China had remote access to this data.
TikTok has stated that it has never provided European user data to Chinese authorities nor received any requests for such data. However, the DPC ordered TikTok to halt data transfers to China if compliance with GDPR is not achieved within six months. The ruling also pointed out that TikTok’s privacy policy initially failed to disclose that user data could be accessed in China, a detail only added in a 2022 update.
The case underscores ongoing concerns about the security of European user data managed by companies under foreign jurisdictions with conflicting legal obligations. TikTok plans to appeal the ruling and has introduced new data security measures under its Project Clover initiative. The DPC continues to evaluate whether further regulatory actions are necessary.
Source: TikTok fined €530m by Irish regulator for failing to guarantee China would not access user data
