TikTok will have to pay a €530 million fine for illegally transferring personal data of Europeans to China and lack of transparency to users, Politico reports, citing the decision of the European regulator.
The Irish Data Protection Commission (DPC) stated that TikTok violated the EU’s basic data protection rules by transferring European users’ data to China, as it could not guarantee that this data would be protected in accordance with Chinese surveillance legislation.
In the first time expressing its position on data transfers to China, the regulator said that TikTok had not properly assessed the implications of Chinese surveillance laws for European data.
These laws, which give the Chinese government broad powers to require companies to transfer data, “differ significantly from EU standards,” TikTok admitted during the investigation.
The regulator also said that TikTok violated transparency rules between 2020 and 2022 by failing to notify users about the transfer of their personal data to China. He noted that the company updated its privacy policy in 2022 and is now “in compliance.”
The company was fined 485 million euros for transferring data to China and 45 million euros for lack of transparency in its privacy policy.
This punishment is the third largest fine for violating the EU General Data Protection Regulation. TikTok’s EU headquarters are located in Ireland, which means that the Irish DPC is the main authority responsible for compliance with EU rules.
For years, TikTok has claimed that it does not store European or US user data on servers in China, but in April it told the regulator that it discovered in February that “a limited amount of EEA user data” was in fact stored in China.
Graham Doyle, deputy commissioner of the Irish DPC, said that the regulator was taking the discovery “very seriously.”
TikTok has been given six months to bring its data processing practices in line with EU privacy rules or to stop all data transfers to China.
TikTok said it “categorically denies” the findings of the Irish DPC and plans to appeal.
The company pointed to its €12 billion investment in the Clover project, which deploys data centers in Europe for local data storage in the EU, as well as other privacy protection measures. The Irish DPC recognized the project but said it was not enough to change its decision.
TikTok said that the Irish DPC’s decision “creates a risk of precedent with far-reaching consequences for companies and entire industries across Europe that operate globally” and “strikes a blow to the competitiveness of the European Union.”
On April 23, the European Commission recognized that Apple and Meta had violated the requirements of the Digital Markets Act (DMA) and fined them €700 million.
Recently, European Commission President Ursula von der Leyen warned large tech companies—including X, Meta, Apple, and TikTok—that the EU is ready to fully enforce its digital laws regardless of who runs these firms or where they are based.
