TikTok hit with €530M fine after illegally sending users’ data to China

TikTok has to pay €530 million in penalties because it sent the personal data of Europeans to China illegally and wasn’t transparent enough with users, Ireland’s powerful privacy regulator said Friday.

The Irish Data Protection Commission (DPC) said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws.

Taking a stance on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data.

Those laws — which give the Chinese government sweeping powers to order companies to hand over data — “materially diverge from EU standards,” TikTok acknowledged during the inquiry.

The regulator also said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.”

The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy.

The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules.

TikTok had for years claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China.

Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.”

TikTok has been given six months to bring its data processing practices in line with the EU’s privacy rules, or suspend all data transfers to the country.

TikTok said it “strongly contest[s]” the Irish DPC’s findings and plans to appeal in full.

"Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by Tiktok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a written statement.

TikTok pointed to its €12 billion investment in Project Clover, which is rolling out data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project but said it was not enough to sway its decision.

Grahn emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

She said that the Irish DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”