The investigation, launched in September 2021, revealed that TikTok failed to disclose to users that their data stored in the U.S. and Singapore could be accessed by personnel in China, violating EU data protection regulations
TikTok has once again come under scrutiny after the European Union’s privacy regulator, Ireland’s Data Protection Commission (DPC), imposed a hefty fine of €530 million ($600 million) for violating EU data protection laws. The fine follows a four-year investigation into how TikTok handled the personal data of European users.
The regulatory body has also mandated that TikTok align its practices with EU data protection rules within six months. This investigation has cast a spotlight on how TikTok transfers and stores European users' personal data, with particular concern over the access granted to staff in China.
The DPC’s decision underscores concerns regarding TikTok’s failure to ensure that the personal data of European users, which was remotely accessed by employees in China, received an adequate level of protection comparable to the strict standards of the EU.
Deputy Commissioner Graham Doyle stated, “TikTok failed to verify, guarantee, and demonstrate that the personal data of European users...received a level of protection essentially equivalent to that guaranteed within the EU.”
The investigation, which was initiated in September 2021, revealed that TikTok was not transparent with users regarding where their data was being processed. It was found that the platform failed to disclose that data stored in the U.S. and Singapore could be accessed by personnel in China. The company’s privacy policy at the time did not include China or other third-party countries as potential destinations for user data, a key oversight that the DPC flagged as a breach of EU data protection rules.
TikTok plans appeal over GDPR fine
TikTok, which is owned by ByteDance and headquartered in Beijing, has announced plans to appeal the decision. The company criticized the ruling for focusing on a period that ended in May 2023, before the launch of its data localization project, “Project Clover.” This initiative is aimed at constructing three data centers in Europe to enhance data protection and localize European user data.
TikTok’s European head of public policy, Christine Grahn, defended the company’s actions, stating that Project Clover includes some of the most stringent data protection measures and independent oversight by cybersecurity firm NCC Group. She added that the decision overlooked these efforts.
The penalty marks the latest chapter in a series of challenges TikTok has faced over its data privacy practices, particularly regarding concerns that Chinese authorities might access European user data. The DPC’s findings also revealed that TikTok had provided inaccurate information during the investigation, especially concerning the storage of some European data in China. Although TikTok denied providing data to Chinese authorities, the regulator has taken these discrepancies seriously and is considering additional regulatory action.
This fine is the latest in a string of penalties for TikTok in Europe, which also faced significant fines last year over violations related to children’s data. Under the EU’s General Data Protection Regulation (GDPR), personal data can only be transferred outside the bloc if equivalent safeguards are in place to ensure its protection. TikTok’s failure to meet these requirements has reignited discussions on the broader issue of data transfers, especially involving companies with ties to China.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
