TikTok, the popular short-video platform owned by China’s ByteDance, has been hit with a hefty fine of 530 million euros ($600 million) by Ireland’s Data Protection Commissioner (DPC) for concerns related to the protection of user data. The DPC found that TikTok failed to provide adequate protection for EU users’ personal data, some of which is accessed remotely by staff in China. As a result, the DPC has ordered TikTok to suspend data transfers to China unless it brings its processing into compliance within six months.
The DPC’s ruling comes after a four-year inquiry into TikTok’s data protection practices, during which the company claimed it did not store EU user data on servers in China. However, TikTok disclosed last month that a limited amount of EU user data was indeed stored in China and has since been deleted. Deputy Commissioner Graham Doyle stated that the DPC is considering further regulatory action in light of these recent developments.
TikTok has stated that it strongly contests the DPC’s findings and plans to appeal the ruling. The company has argued that it has used the EU’s standard contractual clauses to grant tightly controlled and limited remote access to user data. TikTok also highlighted its data security measures, including independent monitoring of remote access and storage of EU user data in dedicated data centers in Europe and the United States.
Despite the fine and regulatory scrutiny, TikTok maintains that it has never received a request for EU user data from Chinese authorities, nor has it provided data to them. The company expressed concerns that the ruling could set a precedent with far-reaching consequences for global companies operating in Europe.
This is not the first time TikTok has faced regulatory action from the DPC. In 2023, the company was fined 345 million euros for breaching privacy laws related to the processing of children’s personal data in the EU. The DPC, as the lead privacy regulator in the EU for many top tech firms with regional headquarters in Ireland, has also fined companies like Microsoft, LinkedIn, and Meta in recent years.
Under the EU’s General Data Protection Regulation (GDPR), companies can face fines of up to 4% of their global revenue for violations of data protection laws. The DPC’s ruling against TikTok underscores the importance of compliance with EU data protection standards for companies operating in the region.
