Ireland’s Data Protection Commission (DPC) fined TikTok €530 million ($600 million) for violations of the EU’s GDPR regulations. The fine stems from TikTok’s improper handling of personal data transfers to China, violating strict EU laws on data protection. The company failed to meet requirements ensuring that its staff in China could only access European data in compliance with GDPR. TikTok also neglected to conduct the necessary assessments regarding Chinese laws on access to user data, including counterterrorism and counterespionage laws, which differ from European regulations.
In addition to the fines, the DPC ordered TikTok to address its data processing weaknesses within six months or face suspension of its ability to transfer data to China.
The company had previously misled the DPC by claiming that it did not store European users’ data on Chinese servers. However, in April, TikTok acknowledged that some European data had been stored on these servers and stated that it had deleted the data. The DPC is considering additional penalties due to this discovery, emphasizing the seriousness of the violation.
The DPC also found that TikTok failed to meet GDPR transparency requirements. The company’s privacy policy from 2021 did not specify the countries to which it transferred data or disclose remote access to data by staff in China, Singapore, and the United States.
TikTok updated its privacy policy in 2022, during the ongoing inquiry, to ensure compliance with the GDPR’s transparency rules.
This is not the first time TikTok has faced scrutiny for GDPR violations. In September 2023, the DPC fined the company €345 million for issues related to the processing of data from child users. The latest fine and ongoing investigation reflect the EU’s commitment to enforcing data protection laws, especially concerning international data transfers and the protection of European citizens’ personal information.
Reference:
