TikTok, the world’s most popular short-form video platform, has been fined €530 million (approximately $600 million) for transferring European user data to servers located in China. The act constitutes a violation of the European Union’s General Data Protection Regulation (GDPR).
The decision was made by Ireland’s Data Protection Commission (DPC). The body notes that TikTok failed to ensure that the information sent to China had a level of protection equivalent to that required by European regulations. The court expressed concern about Chinese anti-terrorism and anti-espionage laws. These could allow Chinese authorities to access European users’ data if it is on servers located in China. Chinese laws have also been a major security concern for US authorities regarding DeepSeek AI.
TikTok fined for transferring European user data to servers in China
The bulk of the fine is €485 million for the improper transfer of data. Additionally, there is a €45 million fine due to TikTok’s privacy policy failing to explain these data transfers adequately. It’s notable that the company updated its privacy policy in 2022 and was deemed “compliant” by the court. ByteDance, parent company of TikTok, also promised a €12 billion investment in data centers within the EU. However, it appears that these actions were not sufficient for the DPC.
TikTok assured during the investigation that it did not store user data on Chinese servers. If there was any access by the company’s Chinese branch, it would always be remote. That said, the same company reported in April that it had discovered a limited amount of European data that had been stored in China. The company asserts that it deleted this data.
During the investigation, TikTok maintained that access to user data from China was remote and that the information was not stored on servers in that country. However, in April, the company informed the court about the discovery of a limited amount of European data that had indeed been stored in China and subsequently deleted. DPC Deputy Commissioner Graham Doyle said that “further regulatory action” might be necessary in response to this breach. This may have influenced the latest big fine.
Third largest GDPR-based fine
This fine is the third-highest imposed under the GDPR to date. Only the sanctions imposed on Meta (€1.2 billion) and Amazon (€746 million) are higher. Note that TikTok already received a $367 million fine in 2023 for processing children’s data. These actions underscore the growing concern among European authorities about the platform’s privacy practices.
TikTok now has six months to adapt its data processing to European regulations. Failure to do so could result in harsher fines and penalties. The company could also attempt to appeal the decision, as usual.
