On Friday, TikTok faced a hefty fine of 530 million euros ($600 million) from its principal E.U. privacy overseer, following concerns about its user information protection strategies. The platform was instructed to halt data transfers to China if its processing methods aren’t compliant within six months.
The Data Protection Commissioner (DPC) in Ireland stated that TikTok, owned by China-based ByteDance, failed to demonstrate that the personal data of E.U. users received the robust protection mandated by E.U. regulations, as some data is accessed remotely by staff in China.
This situation indicates that TikTok did not fully address the possibility of Chinese authorities accessing this data under China’s counter-espionage and other laws, which TikTok itself identified as significantly different from E.U. standards, as per the DPC’s statement.
TikTok said it strongly contested the finding and that it has used the E.U.’s own legal framework, specifically so-called standard contractual clauses, to grant tightly controlled and limited remote access. It plans to appeal the ruling.
It also said the decision fails to fully consider data security measures first rolled out in 2023 that independently monitor remote access and ensure E.U. user data is stored in dedicated data centers in Europe and the United States.
TikTok, which has grown rapidly among teenagers around the world in recent years and has 175 million users across Europe, added that it has never received a request for E.U. user data from the Chinese authorities, and has never provided data to them.
“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” TikTok said in a statement.
The DPC also found that while TikTok said throughout the four-year inquiry that it did not store E.U. user data on servers in China, it disclosed last month that it discovered in February that a limited amount was stored in China and since deleted.
“The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted,” DPC Deputy Commissioner Graham Doyle said.
It is the second time TikTok has been reprimanded by the DPC. It was fined 345 million euros in 2023 for breaching privacy laws regarding the processing of children’s personal data in the E.U.
The powerful Irish privacy regulator, the lead regulator in the E.U. for many of the world’s top tech firms due to the location of their regional headquarters in Ireland, has also fined the likes of Microsoft’s LinkedIn, X and Meta since it was given sanctioning powers in 2018.
Under the E.U.’s General Data Protection Regulation (GDPR), that also covers European Economic Area member states Iceland, Liechtenstein and Norway, the lead regulator for any given company can impose fines of up to 4% of its global revenue.
