TikTok faces a massive €530 million fine from its lead EU privacy regulator over data protection breaches and has been ordered to halt transfers of user data to China within six months unless it fixes its compliance issues.
Ireland’s Data Protection Commissioner (DPC) said TikTok, owned by China’s ByteDance, failed to show that EU users’ personal data, some of which is remotely accessed by staff in China, was afforded the high level of protection provided for under EU law.
As a result, the short-video platform did not address potential access by Chinese authorities to the data under counter-espionage and other laws identified by TikTok as materially diverging from EU standards, the DPC said in a statement.
TikTok to Invest €1 Billion in Finland Data Centre for European Users
TikTok said it strongly contested the finding and that it has used the EU’s own legal framework, specifically so-called standard contractual clauses, to grant tightly controlled and limited remote access. It plans to appeal the ruling.
It also said the decision fails to fully consider data security measures first rolled out in 2023 that independently monitor remote access and ensure EU user data is stored in dedicated data centres in Europe and the United States.
TikTok, which has grown rapidly among teenagers around the world in recent years and has 175 million users across Europe, added that it has never received a request for EU user data from the Chinese authorities, and has never provided data to them.
“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” TikTok said in a statement.
The DPC also found that while TikTok said throughout the four-year inquiry that it did not store EU user data on servers in China, it disclosed last month that it discovered in February that a limited amount was stored in China and since deleted.
TikTok challenges Trump’s divestiture order
“The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted,” DPC Deputy Commissioner Graham Doyle said.
It is the second time TikTok has been reprimanded by the DPC. It was fined 345 million euros in 2023 for breaching privacy laws regarding the processing of children’s personal data in the EU.
The powerful Irish privacy regulator, the lead regulator in the EU for many of the world’s top tech firms due to the location of their regional headquarters in Ireland, has also fined the likes of Microsoft’s, LinkedIn, X and Meta since it was given sanctioning powers in 2018.
Under the EU’s General Data Protection Regulation (GDPR), that also covers European Economic Area member states Iceland, Liechtenstein and Norway, the lead regulator for any given company can impose fines of up to 4% of its global revenue.
