The Irish Data Protection Commission (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the personal data of users in the European Economic Area (EEA) to China, violating the European Union's GDPR data protection regulations. "TikTok's personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," said DPC Deputy Commissioner Graham Doyle. Previously, TikTok was slapped with a €345 million ($368 million) fine by the DPC for violating the privacy of children while processing their data and employing "dark patterns" during the registration process and while posting videos, nudging users toward selecting options that compromised their privacy. In January 2023, TikTok was also fined €5 million ($5.4 million) by France's data protection authority (CNIL) for failing to adequately inform users about its cookie usage and making it challenging to opt-out. The administrative fines imposed by the Irish watchdog consist of a fine of €485 million for its infringement of Article 46(1) GDPR regarding the lawfulness of the data transfers to China and a fine of €45 million for its infringement of Article 13(1)(f) regarding the lack of transparency. The DPC added that TikTok claimed during the investigation that it did not store users' data from the European Economic Area (EEA) on servers located in China. This is the third-largest fine imposed by the Irish data protection authority so far, after sanctioning Amazon with 746 million euros for its targeted behavioral advertising practices and Facebook with 1.2 billion euros for transferring data of EU-based users to the United States. "Under Project Clover, TikTok has implemented advanced privacy-enhancing technologies (PETs), such as encryption-on-access and differential privacy, to ensure that non-restricted data is de-identified before it can be accessed by employees in China," Grahn said. TikTok was also ordered to bring its data processing into compliance within six months, with the DPC planning to suspend all data transfers to China if the company fails to update its policies in time. However, in April 2025, TikTok revealed that it had discovered in February 2025 that some EEA user data had been stored on servers in China, contradicting the company's earlier statements. However, Christine Grahn, TikTok's Head of Public Policy & Government Relations for Europe, said the company disagrees with the DPC's decision and that it's planning to appeal it because it fails to consider TikTok's new Project Clover data security initiative. DPC officials pointed out that the issue goes beyond the location of the servers and is also about the risk that Chinese authorities could access the data of European users under domestic laws concerning terrorism and espionage, which contravene EU standards.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 02 May 2025 12:15:11 +0000