Additional Coverage:
Dublin — TikTok has been slapped with a hefty $600 million fine by the Irish Data Protection Commission (DPC) for illegally transferring European users’ personal data to servers in China. The DPC ruled on Friday that TikTok’s actions violated the European Union’s General Data Protection Regulation (GDPR) due to the unauthorized data transfer and a lack of transparency with users.
The DPC’s Deputy Commissioner, Graham Doyle, stated that TikTok failed to demonstrate that the personal data of European Economic Area (EEA) users, accessed remotely by staff in China, was adequately protected under standards equivalent to those within the EU. Doyle also noted concerns regarding potential access to the data by Chinese authorities under laws that diverge significantly from EU standards. TikTok has been given six months to bring its data processing practices into compliance.
TikTok plans to appeal the decision. Christine Grahn, TikTok’s head of public policy and government relations in Europe, expressed disappointment at being “singled out” despite using the same legal mechanisms as many other companies operating in Europe. She emphasized that TikTok had not received any requests from Chinese authorities for European user data.
While TikTok initially maintained that European data was not stored on Chinese servers, the company later admitted to the DPC that some limited EEA user data had been stored there. TikTok claims to have since deleted the data. The DPC has ordered TikTok to suspend further data transfers and ensure its operations comply with GDPR.
This marks the third-largest fine ever imposed for a GDPR violation. As TikTok’s EU headquarters is in Ireland, the DPC holds the regulatory authority in this matter.