TikTok has just been handed a hefty €530 million ($600 million) fine in Ireland by the country’s Data Protection Commission (DPC). The reason has to do with transfers of personal data of TikTok users in the European Economic Area (EEA) to China.
The decision finds that TikTok infringed upon the EU’s GDPR regulations regarding transferring EEA user data to China, and it also didn’t uphold its transparency requirements regarding this.
Along with the fine, TikTok is also required to bring its data processing into compliance with the GDPR within six months. Otherwise, its data transfers to China will be suspended.
Here’s DPC Deputy Commissioner Graham Doyle commenting on the matter:
The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries. TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.
TikTok initially said it did not store EEA user data on servers located in China, but last month it informed the DPC of an issue that it had discovered in February where “limited EEA user data” had indeed been stored on servers in China. Thus, the initial information it provided was proven to be inaccurate. TikTok has in the meantime informed the DPC that the data has been deleted.
