ByteDance’s TikTok has been slapped with a €530 million ($600 million) fine by the European Union for unlawfully transferring user data to China, a move regulators say falls short of the bloc’s strict privacy standards.
The penalty was handed down by Ireland’s Data Protection Commission (DPC), which acts as TikTok’s lead EU regulator due to the company’s European headquarters in Dublin.
The DPC said the short-form video platform breached General Data Protection Regulation (GDPR) rules and has now been given six months to halt all unauthorized data transfers.
TikTok’s admission
The regulator revealed that TikTok admitted in April that European user data had been stored on servers located in China—directly contradicting earlier claims made during the investigation.
The DPC further criticized TikTok for failing to adequately safeguard user information from potential access by Chinese state authorities under Beijing’s national security laws.
“TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” said Deputy Commissioner at the DPC, Graham Doyle.
In response, TikTok said it will appeal the decision in full, maintaining that it has never received a data request from Chinese authorities, nor provided any European user data to them.
TikTok’s many troubles
This latest fine ranks as the third largest ever under the EU’s GDPR framework, trailing penalties against Meta Platforms Inc. (€1.2 billion) and Amazon.com Inc. (€746 million).
- It also follows a €345 million fine in 2023 against TikTok for mishandling children’s personal data.
- The Irish watchdog has long warned about Big Tech firms transferring EU user data to jurisdictions with weaker privacy protections. Its investigation into TikTok began in 2021, amid concerns that maintenance and AI engineers in China could potentially access European data.
- Beyond privacy, TikTok is also facing a probe under the EU Digital Services Act for allegedly failing to prevent the spread of fake accounts and foreign interference during Romania’s 2024 presidential election.
- The platform is under scrutiny for its addictive design and perceived failure to protect underage users.
What you should know
In March this year, the Nigeria Data Protection Commission (NDPC) also disclosed that it was investigating TikTok and Truecaller over data protection issues.
According to the National Commissioner and Chief Executive Officer of the NDPC, Dr Vincent Olatunji, the commission was scrutinising their compliance with data protection laws and would determine the necessary regulatory action based on its findings.
However, unlike the European regulators that continue to impose heavy fines on the tech companies violating its GDPR, the NDPC said its main focus is remediation and ensuring that data processors and data controllers in the country do what is right.
