TikTok has been fined €530m (£452m) by an Irish watchdog over a failure to guarantee that European user data sent to China would not be accessed by the Chinese government.
Ireland’s Data Protection Commission (DPC) regulates TikTok across the European Economic Area (EEA), which includes all 27 EU member states plus Iceland, Liechtenstein and Norway.
It found the Chinese-owned video-sharing app breached general data protection regulation (GDPR) by not addressing whether EEA user data sent to China would be shielded from that country’s authorities.
The DPC said: “TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counterespionage and other laws identified by TikTok as materially diverging from EU standards.”
TikTok failed to “verify, guarantee and demonstrate” that European user data sent to China was offered a level of protection equivalent to that guaranteed within the EU, said the DPC.
TikTok said the DPC had made “no finding” that it shared European user data with Chinese authorities. It said it had never received a request for user data from Chinese authorities, or provided user data to them.
TikTok was also ordered to suspend data transfers to China if its processing was not brought into compliance within six months.
China’s National Intelligence Law of 2017, for instance, states that all organisations and citizens shall “support, assist and cooperate” with national intelligence efforts.
The DPC said data had been “remotely accessed by [TikTok] staff in China”.
The watchdog also stated that TikTok had submitted “erroneous information” to its inquiry. TikTok initially told the regulator that it did not store user data from the EEA, but admitted last month that it did allow “limited” European user data to be stored in China.
The Dublin-based regulator said it took the “inaccurate” submission very seriously and was considering whether further regulatory action was needed.
The safety of TikTok user data has long been a source of concern among politicians concerned by its Chinese ownership. The app is still threatened by a ban in the US, and lawmakers on both sides of the Atlantic have warned that user data could be accessed by the Chinese state. TikTok is controlled by Beijing-based ByteDance.
TikTok, which said it would appeal against the ruling, said it now had safeguards in place under its Project Clover data security scheme, which was announced in March 2023. The DPC investigation covered a period from September 2021 to May 2023.
The DPC’s ruling included a finding that its privacy statement to users in 2021, which referred to personal user data being transferred to a third country, did not refer to data being accessed in China. The privacy policy was then updated in 2022 to acknowledge data could be accessed in China.
At the time of the 2022 change, TikTok said European user data could be accessed in countries such as China to conduct checks on aspects of the platform, including the performance of its algorithms, which recommend content to users, and detect vexatious automated accounts.
