TikTok fined $602 million for illegally sending European user data to China

The Irish Data Protection Commission (DPC) has fined TikTok owner ByteDance €530 million ($602 million) for breaching the European Union's privacy laws. The regulator said TikTok sent European user data to China without being able to guarantee that the information was safe from government surveillance. 

It was reported last month that the DPC was going to slap TikTok with such a fine — the third-largest ever for a General Data Protection Regulation (GDPR) breach. The regulator confirmed that on Friday.

The DPC, which handles enforcement of the GDPR when it comes to TikTok (which has its European HQ in Ireland), also ruled that the platform wasn't adequately transparent with users. Along with the fine, the DPC gave TikTok six months to halt all illegal data transfers.

TikTok claimed during the four-year probe that it didn't store data from European Economic Area users on servers in China. However, it told the DPC last month it learned in February that "limited EEA User Data" had been stored there and admitted that contradicted what it previously said to regulators.

"The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously," DPC deputy commissioner Graham Doyle said in a statement. "Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities."

The DPC said that, between 2020 and 2022, TikTok didn't tell users that their data was being transferred to China. The regulator says TikTok met its transparency requirements in 2022 after updating its privacy policy. Still, the breach of transparency rules resulted in a €45 million fine. The data transfers to China led to a €485 million penalty.

"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," Doyle said. "As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards."

TikTok said in a statement that it disagrees with the ruling and it plans to appeal in full. It claims that Chinese officials had never requested European user data and that it had never provided such information to the country's authorities.

The platform also contends that the DPC did not fully consider Project Clover in its decision. That initiative concerns privacy safeguards, such as setting up European data centers to store data locally. The DPC decision "focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place," Christine Grahn, TikTok's head of public policy and government relations for Europe, said. However, the DPC said it "considered ongoing changes" related to Project Clover while making the ruling.

This is not the first time that the DPC has fined Bytedance. In 2023, it handed down a $368 million penalty after determining TikTok failed to protect the data of users aged between 13 and 17. EU regulators have other ongoing investigations into TikTok over whether it failed to meet obligations to stop foreign interference in an election; age verification and addictive algorithm concerns; and an alleged failure to submit a risk assessment report ahead of rolling out TikTok Lite in France and Spain.

This article originally appeared on Engadget at https://www.engadget.com/big-tech/tiktok-fined-602-million-for-illegally-sending-european-user-data-to-china-154807194.html?src=rss https://www.engadget.com/big-tech/tiktok-fined-602-million-for-illegally-sending-european-user-data-to-china-154807194.html?src=rss