TikTok must pay a fine of €530 million because it illegally sent Europeans' personal data to China and was not transparent enough with users, a powerful Irish privacy regulator said on Friday, UNN reports citing Politico.
Details
The Irish Data Protection Commission (DPC) said that TikTok violated key EU data protection rules when it sent European user data to China, while it could not guarantee that the data was protected amid Chinese surveillance laws.
Taking a position on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the impact of Chinese surveillance laws on those Europeans.
These laws, which give the Chinese government broad powers to order companies to transfer data, "differ significantly from EU standards", TikTok acknowledged during the investigation.
The regulator also said that TikTok violated transparency rules between 2020 and 2022 by failing to inform users about the transfer of personal data to China. It noted that TikTok updated its privacy policy in 2022 and is now "compliant".
The company was fined €485 million for transferring data to China and €45 million for failing to be transparent in its privacy policy.
This fine is the third largest violation of the EU General Data Protection Regulation. TikTok's headquarters are located in Ireland, which means that the Irish DPC is the leading body responsible for compliance with EU rules.
TikTok has argued for years that it does not store European or American user data on servers in China, but told the regulator in April that in February it discovered that "limited EEA user data" was actually stored in China.
Irish DPC Deputy Commissioner Graham Doyle said the regulator took the discovery "very seriously", and while TikTok said it had removed the data from Chinese servers, it is considering "what further regulatory measures may be warranted".
TikTok has been given six months to bring its data processing practices into compliance with EU privacy rules or suspend all data transfers to the country.
TikTok said it "strongly objects" to the findings of the Irish DPC and plans to appeal in full.
"In addition to the DPC's failure to substantially consider the large guarantees [already implemented by Tiktok], we are disappointed that we have been singled out, despite relying on the same legal mechanism used by thousands of other companies providing services in Europe," said Christina Gran, Head of Public Policy and Government Relations at TikTok.
TikTok pointed to its €12 billion investment in Project Clover, which is deploying data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project, but said it was not enough to influence its decision.
Gran stressed that TikTok has "never received a request for European user data from Chinese authorities and has never provided them with European user data."
She said the Irish DPC's decision "risks setting a precedent with far-reaching consequences for companies and entire industries across Europe operating on a global scale" and "undermines the competitiveness of the European Union."