TikTok has been fined €530 million ($600 million) by Ireland’s Data Protection Commission (DPC) for violating the European Union’s General Data Protection Regulation (GDPR) over its handling of EU user data and the risks associated with transferring that data to China.
The four-year investigation found that TikTok, owned by China’s ByteDance, failed to guarantee adequate protection for EU users’ personal data accessed remotely by staff in China. The watchdog cited a lack of transparency, insufficient safeguards, and failure to assess risks tied to access by Chinese authorities under laws that diverge significantly from EU standards, such as China’s counter-espionage and cybersecurity regulations.
Investigators also discovered that TikTok misled regulators by claiming it did not store EU user data on Chinese servers, only admitting last month that some data had been stored there before being deleted.
The company has six months to bring its data processing into compliance or face a suspension of data transfers to China. TikTok criticized the ruling and plans to appeal the decision, arguing that the ruling does not take into account TikTok’s 2023 “Project Clover,” the company’s €12 billion initiative aimed at keeping EU user data within regional data centers and independent monitoring.
