TikTok Fined €530M For Breaking EU Rules

Uploaded on 2025-05-07 in TECHNOLOGY-Key Areas-Social Media, NEWS-Cybersecurity News, FREE TO VIEW

The controversial social media platform TikTok, which has alreday been ordered to divest its US business, has now been ordered to pay €530 million in fines by the Irish Data Protection Commission (DPC), because it illegally sent the personal data of EU citizens to China and it was not clear about its actions with users.

The DPC said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws.

Ruling on the issue of data transfers to China for the first time, the Irish regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws, which give the Chinese government sweeping powers to order companies to hand over data, “materially diverge from EU standards,” TikTok acknowledged during the inquiry. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules.

TikTok has previously claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. The DPC  said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.” 

The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation.

The Irish DPC Deputy Commissioner, Graham Doyle, said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.”

TikTok strongly contests the Irish DPC’s findings and plans to appeal. "Beyond the DPC’s failure to substantively consider the extensive safeguards already implemented by Tiktok, we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a statement. 

TikTok pointed to its €12 billion investment in Project Clover, which involves building data centres in Ireland and Norway to localise European user data and restrict access from overseas, along with other privacy safeguards. Grahn said that DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”

Despite TikTok’s complaint, the DPC’s ruling sends a clear message to companies operating in the EU that they must not only ensure transparency but also protect data from being channelled into jurisdictions where European protections are not upheld.

The DPC has given TikTok a six-month deadline to bring all its data handling operations into full compliance or risk further sanctions. However, TikTok insists that it has never received a request from the Chinese government for European user data and has never provided any.

Politico  |    Reuters   |  Infosecurity Magazine  |   Music Essentials  |   IOL   |   Guardian  |   Wikipedia

Image: 

You Might Also Read:

Ireland - The EU's Data Repository:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« AI-Powered Malware - A Serious Cyber Security Threat
The Seven Pillars Of MLops »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

Infinipoint

Infinipoint

Infinipoint pioneers the first Device-Identity-as-a-Service (DIaaS) solution, addressing Zero Trust device access and enabling enterprises of all sizes to automate cyber hygiene.

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity's mission is to provide value by dramatically improving the cybersecurity posture of our clients and business partners.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

EasySec Solutions

EasySec Solutions

EasySec Solutions provides a cyber-security platform, based on a combination of the zero trust model and the software-defined security management.

London AI Safety Research (LASR)

London AI Safety Research (LASR)

London AI Safety Research Labs is a technical AI Safety research programme focussed on reducing the risk of loss of control to advanced AI.

HCLTech

HCLTech

HCLTech is a global technology company delivering industry-leading capabilities centered around digital, engineering, cloud and AI, powered by a broad portfolio of technology services and products.

Mart Networks

Mart Networks

Mart Networks is one of Africa’s Pioneers when it comes to Value Added Technology Distribution.