The Irish Data Protection Commission (DPC) has fined video sharing platform, TikTok, €530 million for allowing European users’ personal data to be accessed in China.
Under EU law, European users’ data can only be processed within the European Union or countries which the EU believes has adequate data safeguards in place including the UK and the US.
Personal data is protected under the EU’s General Data Protection Regulation, commonly known as GDPR.
“GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries”, says Graham Doyle from the Irish Data Protection Commission.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA [European Economic Area] personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
The Irish authority was responsible for the investigation because TikTok’s European headquarters is here in Ireland.
Throughout the Inquiry, the DPC said that TikTok claimed it did not store European user data in China.
But, within the last few weeks, TikTok told the DPC that it had discovered in February of this year that “limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry.”
The DPC says it is now analysing the impact of this discovery.
Meanwhile, as well as the €530 million fine, the DPC has ordered the company to bring its data processing into compliance within six months.
“The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.”
Responding to the Irish Data Protection Commission’s decision, TikTok said the DPC had focused on “a select period from years ago”. Since then the company says it has invested €12 billion in data security through its Project Clover initiative.
TikTok says it has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”
“We disagree with the decision and plan to appeal in full”, said TikTok’s Head of Public Policy & Government Relations – Europe, Christine Grahn, in a statement.