Source Credit : CNBC
TikTok has been fined 530 million euros ($601.3 million) by Ireland's privacy regulator for unlawfully transferring user data to China. The Irish Data Protection Commission (DPC), responsible for overseeing privacy compliance for TikTok in the EU, announced on Friday that the social media platform violated the GDPR data protection law by sending European user data to China. This significant fine underscores the importance of safeguarding user data and complying with privacy regulations in the digital age.
The regulatory body has mandated that TikTok must ensure its data processing practices are in compliance within a six-month period. Failure to do so will result in the suspension of TikTok's data transfers to China.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Graham Doyle, deputy commissioner at the DPC, said in a statement Friday.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” he added.
The Data Protection Commission (DPC) has revealed that TikTok provided inaccurate information during its inquiry by claiming that it did not store European users' data on servers located in China. TikTok recently informed the regulator that it identified an issue in February where a limited amount of European user data had indeed been stored on servers in China, contradicting its previous statements. This revelation highlights the importance of transparency and accuracy in data handling practices, especially when it comes to protecting the privacy of users.
In a recent blog post, Christine Grahn, TikTok's Head of Public Policy and Government Relations for Europe, expressed disappointment in the decision that overlooked Project Clover. This 12-billion-euro data security initiative is specifically designed to safeguard European user data.
The DPC takes the issue “very seriously” and is considering what further regulatory action may be warranted in consultation with its fellow EU data protection authorities, Doyle said.
“It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place,” Grahn said. “The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them,” she added.
In a 2022 update to its privacy policy, the company stated that employees in countries where it operates, such as China, Brazil, Canada, and Israel, are authorized to access users' data in order to maintain a consistent, enjoyable, and safe user experience.
Western policymakers and regulators are expressing concerns about TikTok's transfer of user data, fearing that Beijing may access this information for the purpose of spying on users of the app. According to Chinese law, tech companies are obligated to provide user data to the Chinese government upon request to aid in broadly-defined "intelligence work."
TikTok has consistently maintained that it has never shared user data with the Chinese government. In 2023, TikTok CEO Shou Zi Chew reiterated this stance during a U.S. Congress hearing, stating in written testimony that the app has never shared, nor received a request to share, U.S. user data with the Chinese government.
