TikTok Fined €530M For Breaking EU Rules
The controversial social media platform TikTok, which has alreday been ordered to divest its US business, has now been ordered to pay €530 million in fines by the Irish Data Protection Commission (DPC), because it illegally sent the personal data of EU citizens to China and it was not clear about its actions with users.
The DPC said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws.
Ruling on the issue of data transfers to China for the first time, the Irish regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws, which give the Chinese government sweeping powers to order companies to hand over data, “materially diverge from EU standards,” TikTok acknowledged during the inquiry. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules.
TikTok has previously claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. The DPC said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.”
The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation.
The Irish DPC Deputy Commissioner, Graham Doyle, said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.”
TikTok strongly contests the Irish DPC’s findings and plans to appeal. "Beyond the DPC’s failure to substantively consider the extensive safeguards already implemented by Tiktok, we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a statement.
TikTok pointed to its €12 billion investment in Project Clover, which involves building data centres in Ireland and Norway to localise European user data and restrict access from overseas, along with other privacy safeguards. Grahn said that DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”
Despite TikTok’s complaint, the DPC’s ruling sends a clear message to companies operating in the EU that they must not only ensure transparency but also protect data from being channelled into jurisdictions where European protections are not upheld.
The DPC has given TikTok a six-month deadline to bring all its data handling operations into full compliance or risk further sanctions. However, TikTok insists that it has never received a request from the Chinese government for European user data and has never provided any.
Politico | Reuters | Infosecurity Magazine | Music Essentials | IOL | Guardian | Wikipedia
Image:
You Might Also Read:
Ireland - The EU's Data Repository:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible