Video Sharing platform TikTok has been fined €530 million by the Irish Data Protection Commission (DPC) for failing to protect personal data of EU users when transferring it to China, the privacy watchdog said in a statement on Friday.
DPC Deputy Commissioner Graham Doyle said that the transfers infringed the General Data Protection Regulation (GDPR) because TikTok failed to demonstrate that the personal data of users in the EU, remotely accessed by staff in China, “was afforded a level of protection essentially equivalent to that guaranteed within the EU”.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” the statement added.
TikTok – which has some 159.1 million monthly active users in Europe – needs to bring its data processing into compliance within six months. Data transfers to China will be suspended if this deadline is not met.
The DPC launched the probe in 2021 as the lead privacy watchdog in Europe for the company owned by China’s ByteDance.
During the investigation, TikTok told the DPC it did not store EU user data on servers located in China, but the watchdog found evidence contradicting this.
Doyle said that the regulator is taking these developments “very seriously”.
“TikTok has informed the DPC that the data has now been deleted, but we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” he added.
TikTok said in a statement that the “decision primarily focuses on a select period from years ago, before the 2023 implementation of Project Clover, our €12 billion data security initiative.”
“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale. It delivers a blow to the European Union’s competitiveness,” the statement added.
It’s not the first time that TikTok was hit with a GDPR fine: it received a €345 million penalty in 2023 failing to protect children’s privacy.
The story has been updated with a TikTok statement.
