EU data protection watchdog fines TikTok €530 m for sending user data to China

The Irish Data Protection Commission (DPC) on Friday announced a fine of €530 million (~₹5,060 crore) to TikTok for transferring personal data of users in the European Economic Area (EEA) to China, as per DPC statement.

Additionally, the Inquiry assessed whether TikTok’s communication with users about such data transfers complied with the transparency obligations set out under the GDPR — General Data Protection Regulation, the European Union regulation that oversees the handling of personal data.

Tiktok was also ordered to bring its processing into compliance within 6 months.

DPC Deputy Commissioner Graham Doyle commented, “TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” he added.

As per DPC, TikTok argued that data transfers through remote access were not affected by certain laws and practices. However, TikTok gave the DPC a review of Chinese law during the inquiry that showed parts of China’s legal system do not match the privacy standards of the EU.

The DPC considered this review and the Chinese laws TikTok mentioned — including the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law, and the National Intelligence Law — which differ in important ways from EU rules.

The DPC found that TikTok did not properly examine how Chinese laws and practices protect the personal data of users in the EEA when that data is processed in China. Because of this, TikTok could not choose the right safety steps or make sure the data had the same level of protection as required under EU law.

DPC statement also mentioned that TikTok’s 2021 privacy policy did not list the countries, including China, where personal data was sent. It did not clearly explain what kind of data processing was involved in the transfer, too. In particular, it did not mention that staff in China could access personal data stored in Singapore and the United States through remote access.

Tiktok, however, updated its policy during the inquiry, and identified third countries where the data was transferred, and also revealed that user data stored in US and Singapore servers can be accessed by TikTok entities in Brazil, China, Malaysia, Philippines, Singapore, and US.

Therefore, the GDPR violation regarding transparency and privacy policy was only considered for period between July 29, 2020, and December 1, 2022.