TikTok has been fined €530 million following a four-year investigation that found the platform violated European Union data privacy laws by transferring user data to China without sufficient protections.
Ireland’s Data Protection Commission, which oversees TikTok’s compliance with the EU’s General Data Protection Regulation due to the company's European headquarters being based in Dublin, concluded that TikTok lacked transparency regarding user data. The regulator has given TikTok six months to bring its operations into compliance with the regulation.
“TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Deputy Commissioner Graham Doyle in a statement.
TikTok said it plans to appeal the ruling, claiming in a blog post that the decision focuses on a “select period” ending in May 2023 before the company started a data localization project that involved building several data centers in Europe.
“The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm,” said TikTok's European head of public policy and government relations, Christine Grahn. “The decision fails to fully consider these considerable data security measures.”
Grahn also stated that TikTok “has never received a request” from the Chinese government for access to European user data and has “never provided European user data to them.”
According to The Daily Mail, the General Data Protection Regulation prohibits the transfer of personal data outside the EU unless the destination country offers an adequate level of protection. The investigation, launched in 2021, found that TikTok’s privacy policy at the time failed to disclose that data was being sent to third countries such as China.
The Irish regulator further criticized TikTok for allegedly giving inaccurate information during the inquiry, including claims that it did not store European data on Chinese servers.
