Why TikTok got hit with a $600 million fine from EU privacy watchdogs

European Union privacy watchdogs fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video-sharing app’s data transfers to China breached strict data privacy rules in the EU.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and it ordered the company to comply with the rules within six months.

The Irish national watchdog serves as TikTok’s lead data privacy regulator in the 27-nation EU because the company’s European headquarters is based in Dublin.

“TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Deputy Commissioner Graham Doyle said in a statement.

TikTok said it disagreed with the decision and plans to appeal.

The company said in a blog post that the decision focuses on a “select period” ending in May 2023, before it embarked on a data localization project called Project Clover that involved building three data centers in Europe.

“The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm,” said Christine Grahn, TikTok’s European head of public policy and government relations. “The decision fails to fully consider these considerable data security measures.”

TikTok, whose parent company ByteDance is based in China, has been under scrutiny in Europe over how it handles personal information of its users amid concerns from Western officials that it poses a security risk over user data sent to China. In 2023, the Irish watchdog also fined the company hundreds of millions of euros in a separate child privacy investigation.

The Irish watchdog said its investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data under Chinese laws on anti-terrorism, counter-espionage, cybersecurity and national intelligence that were identified as “materially diverging” from EU standards.

Grahn said TikTok has “has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

Under the EU rules, known as the General Data Protection Regulation, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection.

Grahn said TikTok strongly disagreed with the Irish regulator’s argument that it didn’t carry out “necessary assessments” for data transfers, saying it sought advice from law firms and experts. She said TikTok was being “singled out” even though it uses the “same legal mechanisms” that thousands of other companies in Europe does and its approach is “in line” with EU rules.

The investigation, which opened in September 2021, also found that TikTok’s privacy policy at the time did not name third countries, including China, where user data was transferred. The watchdog said the policy, which has since been updated, failed to explain that data processing involved “remote access to personal data stored in Singapore and the United States by personnel based in China.”

TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information to throughout the inquiry by saying that it didn’t store European user data on Chinese servers. It wasn’t until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers.

Doyle said that the watchdog is taking the recent developments “very seriously” and “considering what further regulatory action may be warranted.”