Kelvin Chan, Associated Press Business Writer
LONDON (AP) – European Union Privacy Watchdog fined Tiktok USD 600 million on Friday after a four-year investigation found that users were at risk of spying after video sharing app data was transferred to China.
The Irish Data Protection Commission also granted Tiktok that users are not transparent about where their personal data is being sent and ordered the company to comply with the rules within six months.
Because the company’s European headquarters is based in Dublin, the Ireland National Watchdog serves as Tiktok’s lead data privacy regulator in 27 countries and EU.
“Tiktok has failed to verify, assure and demonstrate that Chinese staff members’ personal data of remotely accessed users (European) users were provided with essentially equivalent levels of protection as guaranteed within the EU,” Deputy Commissioner Graham Doyle said in a statement.
Tiktok said it opposed the decision and agreed to a plan to appeal.
In a blog post, the company said the decision will focus on a “selection period” that will end in May 2023. He said he would then begin a data localization project called Project Clover, which includes the construction of three data centres in Europe.
“The fact is that Project Clover has the most stringent data protection anywhere in the industry, including unprecedented independent surveillance by the NCC Group, a leading European cybersecurity company,” said Christine Grahn, Chiktok’s head of European public policy and government relations. “This decision fails to fully consider these substantial data security measures.”
China-based Tiktok, whose parent company, Baitedan, is under scrutiny in Europe for how it processes users’ personal information amid concerns from Western officials that it poses security risks to user data sent to China. In 2023, the Irish Watchdog was also fined hundreds of millions of euros in another child privacy investigation.
Irish Watchdog said the investigation found that Tiktok could not address “potential access by Chinese authorities” to personal data of European users under Chinese laws that have been identified as “material diverging” from EU standards.
Grahn said that Tiktok “has never received requests for European user data from Chinese authorities and has never provided European user data.”
Under EU regulations known as general data protection regulations, European user data can only be transferred outside the block if it is in place to ensure the same level of protection.
Grahn said Tiktok strongly opposed the Irish regulator’s claim that he did not carry out the “necessary assessment” for data transfer, saying he sought advice from law firms and experts. She said that Tiktok is done by thousands of other European companies and is “single out” despite its approach using the “same legal mechanism” of “lined up” in EU regulations.
A survey held in September 2021 found that Tiktok’s privacy policy at the time did not name third countries, including China, where user data was transferred. Watchdog said the subsequently updated policy failed to explain that data processing “remote access to personal data stored in Singapore and the US is stored by China-based personnel.”
Tiktok said it was facing further scrutiny from Ireland’s regulators, saying it had not stored European user data on its Chinese servers, providing inaccurate information throughout the investigation. It wasn’t until April that I notified regulators in February that I discovered that some data was actually stored on Chinese servers.
Doyle said WatchDog considers recent developments “very serious” and “in light of the possibility that further regulatory measures could be justified.”
Original issue: May 2, 2025 8:43am EDT
