Rules Navigator

TikTok fined $600m by Irish regulator for sending EU user data to China

TikTok logo against EU flag
The fine has been imposed by the Irish Data Protection Commission. Photo: Ezra Acayan/Getty Images

Hameed Shuja

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Fine ruling comes after inquiry looking into the lawfulness of TikTok’s actions.

The Irish Data Protection Commission has imposed a fine of €530m ($600m) on social media giant TikTok for violating EU data protection and privacy rules and sending the data of users in the EU to China.

In its final ruling, published on Friday after a detailed inquiry, the Irish data regulator has said the transfer of personal data to China infringed existing EU GDPR.

“TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Commission said.

The initial inquiry was launched to look into the lawfulness of such a transfer of data, and also to examine whether TikTok was transparent in notifying users about the transfer of their data to another jurisdiction.

Ireland’s Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, concluded that the social media platform failed to comply with EU rules in both cases. On top of the huge financial fine, the final ruling by the Commission also includes “an order requiring TikTok to bring its processing into compliance within six months.”

TikTok, which is owned by Beijing based ByteDance, has disagreed with the decision and said it would have negative ramifications for “any company in Europe with global operations,” the FT has reported.

Erroneous information

The final ruling accuses TikTok of initially telling regulators it did not store any EEA user data on its servers in China, but admitting later that it actually did store data belonging to a limited number of EEA users on its Chinese servers.

Irish regulators. have said the discovery that EU users’ data was stored on servers in China was concerning, and that they were taking the matter very seriously.

DPC Deputy Commissioner Graham Doyle said: “Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”

The EU takes its GDPR seriously and has strict policies in place around the transfer of user data to other jurisdiction outside the block. Such transfers can only happen if certain requirements are met.

Countries such as Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay fall into a category where the EU feels transfer of EU user data will have an adequate level of protection or (“Adequacy Decision”).

But China is not in that list, and transfer of EU user data to that country “can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses.”

The Irish Commission has concluded that existing rules in China to do not guarantee an adequate or equivalent level of data protection which is required under EU rules.

The Commission has asked TikTok to comply with the ruling, or else it will be “appropriate, necessary and proportionate to order the suspension of the Data Transfers” by the social media platform to China.

, , , , , , , , , , , ,

You may also like