Ireland's DPC Fines TikTok €530M for Sending EU User Data to China

The Irish Data Protection Commission (DPC) has fined popular video-sharing platform TikTok a staggering €530 million for violating data laws by sending European user data to China. This hefty fine is the result of a thorough investigation launched in September 2021, which found that TikTok had failed to protect the personal data of European users when transferring it to servers in China.

TikTok's failure to adhere to GDPR regulations was deemed a serious breach of trust by the DPC. The commission found that the platform had not adequately verified and guaranteed the protection of EEA user data, which was being remotely accessed by staff in China. This lack of transparency and oversight allowed for potential access by Chinese authorities to sensitive information under Chinese anti-terrorism, counter-espionage, and other laws.

Under Article 46(1) GDPR, personal data can be transferred to a third country only if the European Commission determines that it offers adequate data protection. However, the DPC found that TikTok had failed to meet this requirement by not ensuring EEA user data was protected to an equivalent level as within the EU.

The commission's decision includes two main components: an administrative fine of €530 million and an order requiring TikTok to bring its processing into compliance within six months. Failure to comply will result in the suspension of data transfers to China. The DPC also expressed concern that TikTok had not provided adequate assurance about the protection of EEA user data, stating that "the decision is taking these recent developments very seriously."

TikTok has vehemently disputed the decision, arguing that it ignores its €12 billion Project Clover initiative launched in 2023. The company claims that this project includes some of the most stringent data protections anywhere and that the DPC's focus on a specific period prior to its implementation does not reflect the safeguards now in place.

Interestingly, this is not the first time TikTok has faced regulatory scrutiny for its handling of user data. In September 2023, the Irish data regulators fined the platform €345 million for violating children's privacy laws due to a severe flaw in its "family pairing" feature that allowed adults to send direct messages to teenagers without family connections.

The DPC's decision serves as a reminder of the importance of robust data protection regulations and the need for companies like TikTok to prioritize transparency and user safety. As users continue to share their personal data with social media platforms, it is crucial that regulators remain vigilant in ensuring that these companies adhere to strict data protection standards.

Follow us on Twitter: @securityaffairs and Facebook and Mastodon