May 2 (UPI) — The Irish Data Protection Commission on Friday fined TikTok $600 million for illegally sending personal data of Europeans to Chinese servers.
The DPC decided TikTok’s actions violated the European Union’s General Data Protection Regulation by transferring the data and not providing sufficient transparency to users.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” DPC Deputy Commissioner Graham Doyle said in a statement.
TikTok was also ordered to bring its data processing into compliance within 6 months.
“TikTok did not address potential access by Chinese authorities to EEA (European Economic Area) personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” Doyle said.
TikTok plans to appeal the DPC fine.
“Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by TikTok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” TikTok’s Christine Grahn, head of public policy and government relations in Europe, said in a statement.
She said TikTok had not gotten any requests from Chinese authorities to provide European user data.
TikTok told DPC throughout its inquiry that European data was not stored on servers in China.
But in April TikTok informed the DPC that “limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry.”
TikTok told the DPC it deleted the data on Chinese servers.
The DPC ordered TikTok to suspend the data transfers and bring its processing operations into compliance with the GDPR.
TikTok’s December 2022 revised EEA Privacy Policy informed European users that personal data was stored on servers in the United States and Singapore.
That policy also informed European users the data was subject to remote access by TikTok’s corporate group in Brazil, China, Malaysia, Philippines, Singapore, and the United States.
The fine is the third-largest imposed for violating the GDPR. TikTok’s EU headquarters is in Ireland, giving the DPC legal regulatory authority over TikTok.
