TikTok Illegally Sent Europeans’ Personal Data To China, EU Regulators Claim

This is the third-largest fine ever imposed under the EU’s General Data Protection Regulation (GDPR). As TikTok’s EU headquarters are in Ireland, the Irish DPC serves as its lead regulator.

During the inquiry, TikTok admitted that Chinese surveillance laws—giving authorities broad powers to demand data access—“materially diverge from EU standards.” Despite previously claiming it did not store European or U.S. user data in China, TikTok informed the DPC in April that it had discovered in February that “limited EEA User Data” had, in fact, been stored there.

Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously.” Although TikTok claims it has since deleted the data from Chinese servers, Doyle noted the DPC is still considering “what further regulatory action may be warranted.”

Politico says that TikTok now has six months to either bring its data practices into full compliance with EU privacy laws or suspend all data transfers to China. TikTok said it “strongly contest[s]” the DPC’s findings and plans a full appeal.

“Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by TikTok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe.

Grahn also emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

She warned the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”

TikTok highlighted its €12 billion investment in Project Clover, which includes building data centers in Europe to store data locally and implementing additional privacy safeguards. While the DPC acknowledged this effort, it said it was not enough to change its decision.

The Free Beacon writes that DPC deputy commissioner Graham Doyle said: “TikTok failed to verify, guarantee and demonstrate that the personal data of [European] users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”