TikTok has been hit with a €530 million penalty by the Irish Data Protection Commission (DPC) for violating EU privacy laws following a probe into the platform’s transfer of European user data to China.
The watchdog found that the company breached the bloc’s data protection rules through unlawful transfers of European user data to China, giving it a six-month deadline to halt any non-compliant transfers.
In April, the ByteDance-owned company revealed that some European user data had been stored on servers in China, contradicting previous claims made to the regulator during the investigation. In a statement, Graham Doyle, a deputy commissioner at the DPC stated TikTok had failed to properly assess whether users’ personal data accessed remotely in China received protection equivalent to EU standards considering that local laws such as anti-terrorism and counter-espionage are “materially diverging from EU standards”.
The regulator also criticised TikTok’s lack of transparency in informing users about these transfers. The investigation uncovered flaws in TikTok’s 2021 privacy policy, which did not name China as a destination for data transfers or outline the scope of processing activities. These gaps amounted to a €45 million fine for transparency failings, with €485 million imposed for the unlawful transfers.
Although TikTok has since confirmed that the data in question has been deleted, the DPC stated it is considering whether further regulatory action is necessary in consultation with the EU Data Protection Authorities. The watchdog is taking the case “very seriously”, Doyle added.
TikTok plans to appeal the decision and stated it has never received or responded to requests for European user data from Chinese authorities.
According to Bloomberg, the penalty marks the third largest ever issued under the General Data Protection Regulation (GDPR), trailing previous fines of €1.2 billion against Meta Platforms and €746 million against Amazon.