The EU fined TikTok €530 million for violating privacy laws by transferring user data to China without adequate safeguards. Ireland’s regulator also cited transparency failures. TikTok plans to appeal, arguing its newer data protection measures weren’t fully considered. Further scrutiny over data storage continues.
On Friday, a European Union privacy regulator imposed a €530 million ($600 million) penalty on TikTok following a four-year probe that revealed the video-sharing platform’s data transfers to China exposed users to potential surveillance, violating stringent EU data protection laws.
Ireland’s Data Protection Commission (DPC), which oversees TikTok’s compliance in the EU due to the company’s Dublin-based European headquarters, also reprimanded the platform for failing to clearly inform users about where their personal data was being sent. The regulator gave TikTok six months to align with EU regulations.
Deputy Commissioner Graham Doyle stated that TikTok did not sufficiently prove that European users’ data, accessed remotely by employees in China, received protection equivalent to EU standards.
TikTok has contested the ruling, announcing plans to appeal. The company argued that the investigation centered on practices before May 2023, prior to its “Project Clover” initiative—a data localization effort involving the construction of three European data centers.
Christine Grahn, TikTok’s head of European public policy, emphasized that Project Clover implements some of the industry’s strictest safeguards, including oversight by cybersecurity firm NCC Group. She criticized the decision for overlooking these measures.
Owned by China-based ByteDance, TikTok has faced growing scrutiny in Europe over data security concerns, particularly regarding potential access by Chinese authorities under national security laws that EU officials say conflict with European privacy standards.
In 2023, the Irish regulator separately fined TikTok hundreds of millions for child privacy violations. The latest investigation found TikTok’s privacy policy at the time did not disclose transfers to China or clarify that personnel in China could access data stored in Singapore and the U.S.
Grahn asserted that TikTok has never shared European user data with Chinese authorities and complies with EU data transfer rules, using the same legal frameworks as other companies.
The DPC is also investigating TikTok for providing misleading information during the inquiry, initially denying storage of EU data on Chinese servers before admitting in April that some data had been held there. Doyle stated the regulator is evaluating further action.