TikTok has been fined 530 million euros ($601.3 million) by Ireland’s privacy regulator for sending user data to China.
The Irish Data Protection Commission (DPC) — which leads on privacy oversight for TikTok in the EU — said Friday that TikTok infringed the bloc’s GDPR data protection law over transfers of European user data to China.
The regulator ordered TikTok to bring its data processing into compliance within six months and said it would suspend TikTok’s transfers to China if processing is not brought into compliance within that timeframe.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Graham Doyle, deputy commissioner at the DPC, said in a statement Friday.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” he added.
The DPC said it also found TikTok had provided inaccurate information to its inquiry when it claimed it hadn’t stored European users’ data on servers located in China. TikTok informed the regulator this month that it discovered an issue in February where limited European user data had been stored on servers in China, contrary to its prior statements.
The DPC takes the issue “very seriously” and is considering what further regulatory action may be warranted in consultation with its fellow EU data protection authorities, Doyle said.
TikTok said it disagrees with the Irish regulator’s decision and plans to appeal in full.
In a blog post Friday, Christine Grahn, TikTok’s head of public policy and government relations for Europe, said the decision failed to take into account Project Clover, a 12-billion-euro data security initiative aimed at protecting European user data.
“It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place,” Grahn said.
“The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them,” she added.
TikTok has previously acknowledged that staff in China can access user data.
In 2022, it said in an update to its privacy policy that employees in countries where it operates — including China, Brazil, Canada and Israel — are permitted access to users’ data to ensure their experience is “consistent, enjoyable and safe.”
Western policymakers and regulators are concerned TikTok’s transfers of user data could lead to Beijing accessing the data to spy on users with the app. Under Chinese law, tech companies are required to hand over user data to the Chinese government if requested to assist with vaguely-defined “intelligence work.”
For its part, TikTok has insisted that it has never sent user data to the Chinese government. In 2023, TikTok boss Shou Zi Chew said in written testimony for a U.S. Congress hearing that the app “has never shared, or received a request to share, U.S. user data with the Chinese government.”
