Privacy regulator fines TikTok $600 million over EU data transfers to China
Ireland’s data privacy regulator on Friday announced it is fining TikTok €530 million ($600 million) for violating strict European Union rules governing how personal data can be transferred abroad and for failing to adhere to transparency requirements.
The Irish Data Protection Commission (DPC) ordered TikTok, which is owned by the Chinese company ByteDance, to fix its data processing weaknesses within six months or have its ability to transfer data to China suspended.
TikTok’s personal data transfers to China violated the General Data Protection Regulation (GDPR) law because the company failed to “verify, guarantee and demonstrate” that its China-based staff could only access Europeans’ data in accordance with the law’s requirements, GDPR Deputy Commissioner Graham Doyle said in a statement.
Because TikTok neglected to conduct required assessments, it failed to determine whether Chinese authorities were able to access the data under Chinese antiterrorism, counterespionage and other laws that significantly differ from the GDPR, Doyle said.
TikTok, whose European headquarters are in Ireland, also gave the DPC inaccurate information in response to its inquiry, according to a press release from the agency.
The social media giant told the DPC that it does not store European users’ data on Chinese servers. But in April it acknowledged that in February it had discovered some European users’ data had been stored on them, the agency said.
TikTok has told the DPC that it has deleted the data.
Doyle’s statement said the DPC is taking the fact that data was stored on Chinese servers “very seriously” and is considering further penalties against the company.
TikTok violated GDPR transparency requirements, the regulator said, because its 2021 privacy policy did not identify which countries it transferred data to and did not specify that staff in China and other countries had remote access to personal data stored in Singapore and the United States.
The DPC said that privacy policy was updated in 2022 while the years-long inquiry was underway and TikTok is now in compliance with GDPR transparency requirements.
Bloomberg reported the fines were expected in early April.
In September 2023, the DPC fined TikTok €345 million for allegedly violating the GDPR when processing data belonging to children using TiKTok.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.