The Data Protection Commission (DPC) has fined TikTok a total of €530m over the transfer of personal data of European users to China
Throughout a DPC inquiry into the lawfulness of TikTok's transference of user data from the EEA to China, the company had informed the Irish data watchdog that it did not store EEA user data in China.
Last month though, TikTok informed the DPC of an issue it had discovered in February where "limited EEA user data" had in fact been stored on Chinese servers.
Under its data security plan, Project Clover, TikTok claimed it stores European user information at data centres in Dublin and Norway.
The inquiry also examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.
The Commissioners for Data Protection, Dr. Des Hogan and Dale Sutherland, found that TikTok had infringed GDPR regarding its transfer of European user data to China and its transparency requirements.
They informed TikTok of their findings on Thursday (1 May), and ordered the company to bring its processing into compliance within six months.
The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.
The €530m fine is one of the largest imposed by the DPC after penalties of €1.2bn and €746m to Meta and Amazon.
"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," explained Graham Doyle, DPC Deputy Commissioner.
"As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
Regarding the latest disclosure by TikTok, Doyle added: "The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously.
"Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
The DPC submitted a draft decision to the GDPR cooperation mechanism in February, as required under European law, and no objections were raised by peer EU and EEA supervisory authorities.
The DPC said it would publish the full decision and further related information in due course.
TikTok has said it intends to appeal the decision in full.
"The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them," said Christine Grahn, head of public policy and government relations for Europe at TikTok.
"The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm."
TikTok recently confirmed plans to cut around 300 jobs in Ireland. The company currently employs about 3,000 people here.
(Pic: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)
