TikTok fined €530m by Irish regulator over data transfer violations

TikTok has been fined €530m ($598.8m) by the Data Protection Commissioner (DPC) of Ireland for violating the General Data Protection Regulation (GDPR) in relation to the transfer of user data from the European Economic Area (EEA) to China.

The DPC’s Inquiry revealed that TikTok had infringed upon GDPR rules by transferring EEA user data to China without adequate protection and failing to clearly inform users about these transfers.

In addition to the financial penalty, the DPC has ordered TikTok to overhaul its data processing operations to ensure compliance with GDPR standards within a six-month period.

Should TikTok fail to align its practices with the regulatory requirements within this timeframe, the DPC has mandated a suspension of the company's data transfers to China.

DPC Deputy Commissioner Graham Doyle said: “The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.

“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

TikTok expressed its disagreement with the findings, stating its intention to appeal.

The company was cited by Reuters as saying in a statement: “This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.”

The company said it has adhered to the EU's legal framework, using standard contractual clauses to regulate and restrict remote access.

TikTok, which is owned by China-based Bytedance, maintains that it has never received or complied with requests for EU user data from Chinese authorities.

However, the DPC discovered that TikTok had stored some EU user data on servers in China, which was only disclosed last month and has since been deleted.

Doyle added: “The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously.

“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”