TikTok fined €530M after EU user data ends up on servers in China

Ireland's Data Protection Commission (DPC) has confirmed a fine of €530 million ($600 million) against social media biz TikTok for transferring European user data to China.

The DPC announced its final decision Friday following an inquiry into the lawfulness of TikTok's transfers of personal data from users of the video-based social media app in the wider European Economic Area (EEA) to the People's Republic of China, where its parent company Bytedance is based.

That inquiry has concluded that TikTok infringed the EU General Data Protection Regulation (GDPR) with regard to transfers of data to China, as well as transparency requirements. The decision includes administrative fines totaling €530 million, plus an order requiring TikTok to bring its processing into compliance within six months.

The ruling also includes an order suspending data transfers if TikTok has not brought them into compliance within this time frame.

"The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries," DPC Deputy Commissioner Graham Doyle said in a statement regarding the decision.

"TikTok's personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU."

"As a result of TikTok's failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards."

Furthermore, Ireland's privacy regulator says that TikTok informed it last month that some EEA User Data had in fact been stored on servers in China, contrary to TikTok's evidence given to the inquiry. The social media biz told the DPC that this was due to an issue it had only discovered in February.

Deputy Commissioner Doyle said the DPC is taking the revelation about the data storage in China very seriously. "Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities."

TikTok said that it disagrees with the decision and intends to appeal. In a statement on its website, Christine Grahn, Head of Public Policy and Government Relations for TikTok Europe, said: "The decision fails to fully consider Project Clover, our €12 billion ($13.5 billion) industry-leading data security initiative that includes some of the most stringent data protections anywhere. It instead focuses on a select period from years ago, prior to Clover's 2023 implementation and does not reflect the safeguards now in place."

• Trump tariffs thwart TikTok takeover as China digs in heels
• UK watchdog investigates TikTok and Reddit over child data privacy concerns
• App stores unconvinced by Trump's TikTok ban pause, which may itself be on shaky legal ground
• China ever-so slightly softens stance on possible US TikTok sale

"The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them," she added.

The news comes as TikTok disclosed it is spending €1 billion ($1.13 billion) on a new datacenter in Finland to "enhance data security across Europe," as part of Project Clover.

It is understood that the social media platform, which is known to be popular with the youth, already has a Euro bit barn located in Dublin and another in Norway.

"Finland's strong digital infrastructure, clean energy mix, and robust data governance make it an ideal location for the next phase of this development. Once live, it will support the default storage of European user data within our secure European Enclave, expanding our capacity to manage data locally while meeting the highest standards of security and oversight," TikTok said.

Meanwhile, TikTok has faced similar troubles over privacy concerns in the US. This has led to the situation where its American operations will likely have to be sold off to a domestic entity, or face being banned from the country altogether. ®