On Friday, TikTok was hit with a hefty €530 million fine by the European Union for failing to guarantee proper protection for the personal data of European users that was transferred to China. This fine comes amid growing scrutiny of the platform, especially from the United States, over concerns about its data privacy practices and links to Beijing.
The social media giant, which boasts 1.5 billion users worldwide, is owned by ByteDance, a Chinese company. It has been under increasing pressure from Western governments who fear that the data of its users could be misused for espionage or propaganda purposes due to its association with China.
This significant penalty was imposed by Ireland’s Data Protection Commission (DPC), which acts on behalf of the EU, given that TikTok’s European headquarters is based in Dublin. The fine is one of the largest ever issued by the Irish data protection regulator.
Read Also: 166 Arrested in European Operation Against Child Exploitation
Violating EU Data Protection Laws (GDPR)
According to Graham Doyle, a spokesperson for the Irish data regulator, TikTok violated the European General Data Protection Regulation (GDPR). The company failed to demonstrate that the personal data of its European users, which is accessible to its staff in China, is protected to an equivalent standard as required within the EU. In other words, TikTok was unable to ensure that this data would not be accessed by Chinese authorities, especially through the country’s anti-terrorism and counter-espionage laws, which are known to significantly differ from European norms.
This has raised significant concerns over whether TikTok can fully protect European data from potential access by Chinese authorities, leading to fears about privacy violations.
TikTok has announced its intention to appeal the fine and has been given six months to bring its operations into compliance with the GDPR.
Data Transfer Issues and European Concerns
The key issue in this case is that European data cannot be transferred to third countries unless they are deemed to provide a sufficient level of protection, similar to that found within the EU. Countries like Japan, the UK, and the US are examples of those approved by the EU. However, for countries like China, which do not have an adequacy decision from the EU, it is the responsibility of the company to prove that the data protection standards in the destination country are equal to EU regulations. This was something TikTok failed to do in this instance.
The decision could also increase pressure on TikTok in the US, where lawmakers have passed a law requiring ByteDance to relinquish control of TikTok in the country or face a potential ban. Former US President Donald Trump previously attempted to force ByteDance to sell TikTok’s US operations, and although the deadline for this was extended to June 19, it remains a major issue in US-China relations.
In response to the fine, TikTok has firmly stated that it has “never received any request” from the Chinese authorities for European user data, and that it has never provided such data to Beijing. The company highlights its data protection efforts through its Clover program, which involves a significant €12 billion investment over the next ten years.
TikTok further asserts that the data of European users is stored primarily in Norway, Ireland, and the United States, and that Chinese employees do not have access to sensitive information such as phone numbers or IP addresses.
Data Stored in China
Despite these claims, the DPC investigation revealed that, as of April 2023, TikTok had stored European data in China, contrary to its previous statements. This development has raised alarm bells within the regulatory body. Graham Doyle emphasized that the DPC is considering further regulatory actions, expressing concern over the new findings.
Additionally, TikTok has been criticized for a lack of transparency between 2020 and 2022 regarding its data practices. The company did not inform its users where their data was being transferred nor did it reveal that this data could be accessed from China. The fine includes €45 million specifically for this failure to be transparent about data transfers.
Previous Fines and the Growing Scrutiny on Data Practices
In 2023, the DPC had already fined TikTok €345 million for violating European rules concerning the handling of minors’ data. However, this latest fine is a reminder of the growing concerns over TikTok’s practices, and it adds to the list of significant fines imposed on tech companies under the GDPR framework.
For comparison, the largest GDPR fine ever issued by the DPC was against Meta (Facebook) in 2023, which was fined €1.2 billion for continuing to transfer European data to the US despite concerns about surveillance by US intelligence agencies.
This ongoing scrutiny underscores the increasing importance of data privacy and security in an interconnected world, particularly when it involves platforms that operate on a global scale like TikTok. As data protection becomes a primary issue for governments worldwide, TikTok and other tech giants will likely face more regulatory challenges moving forward.
This article is originally published on: msn
