TikTok Slapped with €530M Fine for EU Data Exodus to China

Another day, another tech giant caught with its hand in the data cookie jar. TikTok just got hit with the second-largest GDPR fine in history—because apparently ’user privacy’ translates to ’send it to Beijing’ in ByteDance’s corporate dictionary.

Regulators didn’t hold back: ’Systemic negligence’ and ’misleading privacy policies’ sealed the deal. Meanwhile, Wall Street analysts are already calculating how many quarters of ad revenue will cover this—probably fewer than it takes to delete your shadow profile from their servers.

Funny how these fines always land like a rounding error on tech balance sheets while regulators pretend they’ve solved the problem. Next up: the ’we take privacy seriously’ press release, followed by zero meaningful architecture changes.

The regulator stated that if TikTok does not comply with its order to bring its data processing into compliance within six months, it will suspend the company’s transfers to China.

In a statement released Friday, Graham Doyle, deputy commissioner at the DPC, said, “TikTok’s data transfers to China violated the GDPR because TikTok failed to verify, guarantee, and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

“TikTok failed to conduct the required assessments, which resulted in TikTok failing to address the possibility of Chinese authorities gaining access to EEA personal data under Chinese anti-terrorism, counter-espionage, and other laws that TikTok identified as materially deviating from EU standards,” he continued.

The DPC also discovered that TikTok had misled its investigation when it stated that it had not kept European users’ data on Chinese servers. Contrary to its earlier claims, TikTok told the regulator this month that it had found a problem in February where a small amount of European user data was kept on servers located in China. In consultation with its fellow EU data protection authorities, the DPC evaluated whether additional regulatory action is necessary, stating that it takes the matter “very seriously.”.

TikTok is appealing against the ruling because it disagrees with the Irish regulator.

TikTok’s head of public policy and government relations for Europe, Christine Grahn, claimed in a blog post on Friday that the decision did not consider Project Clover, a 12-billion-euro data security project designed to safeguard European users’ data.

According to Grahn, “it does not reflect the safeguards currently in place and instead focuses on a select period from years ago, before Clover’s 2023 implementation.”. She continued, “The DPC itself noted in its report what TikTok has repeatedly stated: it has never been asked for European user data by the Chinese authorities and has never given them European user data.”.