LONDON — In a significant move, TikTok has been slapped with a hefty fine of 530 million euros (approximately $600 million) by a European Union privacy authority following a protracted four-year probe. This investigation concluded that the popular video-sharing application had transferred user data to China, raising concerns about potential surveillance risks in conflict with the EU’s stringent data privacy regulations.
The Ireland-based Data Protection Commission, acting as TikTok’s primary data privacy overseer within the European Union, reprimanded the platform for its lack of transparency regarding the final destination of users’ personal information. They have mandated the company to align with data privacy standards within a six-month period.
Graham Doyle, the Deputy Commissioner, highlighted that TikTok failed to properly ensure and demonstrate that the European users’ personal data, which was remotely accessed by personnel in China, was treated with a protection standard equal to that observed within the EU. In response, TikTok, whose parent company ByteDance operates from China, has expressed dissatisfaction with the ruling and plans to contest the decision.
In a blog detailing their stance, TikTok argued that the ruling was reflective of an outdated context, pointing to their ongoing Project Clover. This initiative, undertaken since May 2023, underscores a commitment to data security through the establishment of three data centers across Europe. Christine Grahn, TikTok’s European head of public policy and government relations, underscored that this project places TikTok at the forefront of data protection in the industry, backed by oversight from the NCC Group, a leading cybersecurity firm based in Europe.
Despite these assurances, concerns about TikTok’s data handling practices remain widespread across Europe amid fears that data sent to China could present security risks. The Irish watchdog had previously imposed substantial fines on TikTok in a different investigation concerning child privacy. This recent inquiry uncovered that TikTok had not adequately considered the possibility of Chinese authorities accessing European user data under Chinese legislation that starkly contrasts EU standards on cybersecurity and privacy.
Grahn maintained that TikTok has neither received nor fulfilled any requests for European users’ data from Chinese authorities. Per the EU’s General Data Protection Regulation (GDPR), transferring European user data beyond the EU requires rigorous protections to maintain data privacy and security.
TikTok has rebutted the claims vehemently, with Grahn emphasizing that they undertook all necessary assessments for its data transfers, seeking counsels from law experts. She also stated that TikTok is being unfairly spotlighted despite adhering to the same legal frameworks other European companies use, aligning with EU regulations.
The inquiry, which began in September 2021, discovered that at that time, TikTok’s privacy policy did not clearly identify the countries, including China, as locations where user data could be transferred. Although TikTok’s policy has since been updated, it previously failed to clarify the involvement of personnel based in China, who had remote access to data stored in Singapore and the United States.
Further action may still be under the horizon, as the Irish regulator continues to scrutinize TikTok, particularly after revelations of incorrect information being provided by the company during the investigation. It was only in early 2023 that TikTok admitted discovering some data had been stored on Chinese servers, contrary to previous assurances. Doyle noted that the regulator is deeply concerned with these recent developments and is contemplating any further necessary regulatory measures.