Following a four-year investigation that revealed TikTok’s data transfers to China violated stringent EU data privacy regulations, the European Union privacy authority penalized the video-sharing app 530 million euros ($600 million) on Friday.
Additionally, TikTok was fined by Ireland’s Data Protection Commission for failing to inform users of the location of the transmission of their personal information, and the company was given a six-month deadline to comply with the regulations.
TikTok Fined $600 Million
Since TikTok’s European headquarters are located in Dublin, the Irish national watchdog acts as the primary data privacy authority for the 27-nation EU.
In a statement, Deputy Commissioner Graham Doyle said, “TikTok failed to verify, guarantee, and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”
TikTok declared its disapproval of the ruling and its intention to file an appeal. Before starting a data localization initiative named Clover, which involves constructing three data centers in Europe, the business stated in a blog post that the decision is focused on a “select period” that ends in May 2023.
According to Christine Grahn, manager of public affairs and government relations at TikTok in Europe, “Project Clover has some of the strictest data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm.” “These significant data security measures are not fully taken into account in the decision.”
Western officials are worried that TikTok, whose parent company, ByteDance, is based in China, poses a security risk due to user data being transmitted to China. As a result, TikTok has been under review in Europe regarding how it manages user personal information. In a different kid privacy probe in 2023, the Irish authority also fined the business hundreds of millions of euros.
TikTok Broke EU Privacy Rules
European user data can only be transmitted outside of the EU if measures are in place to guarantee the same degree of protection, according to EU regulations known as the General Data Protection Regulation.
According to Grahn, TikTok vehemently disagreed with the Irish regulator’s claim that it did not conduct “necessary assessments” for data transfers, claiming that it consulted experts and legal firms. Even though TikTok employs the “same legal mechanisms” as thousands of other European businesses and its strategy is “in line” with EU regulations, she claimed the company was being “singled out.”
The investigation, which opened in September 2021, also found that TikTok’s privacy policy at the time did not name third countries, including China, where user data was transferred. The watchdog said the policy, which has since been updated, failed to explain that data processing involved “remote access to personal data stored in Singapore and the United States by personnel based in China.”
TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information throughout the inquiry by saying that it didn’t store European user data on Chinese servers. It wasn’t until April that it informed the regulator that it had discovered in February that some data had been stored on Chinese servers.