TikTok fined $600 million for sending user data to China
- TikTok has been fined ā¬530 million (approximately $600 million) by the Irish Data Protection Commission for breaching the European Union’s General Data Protection Regulation (GDPR) by sending user data to servers in China.
- The commission found that TikTok failed to guarantee the protection of data transferred to China, citing concerns over China’s anti-terrorism and counter-espionage laws as potential risks.
- TikTok was also fined ā¬45 million for its privacy policy failing to adequately explain data transfers, despite updating its policy in 2022.
- The company has promised to invest ā¬12 billion (approximately $13.6 billion) in EU data centers, but this was not enough to sway the court, which deemed the new policy “compliant” but still found TikTok liable for the breaches.
TikTok has been ordered to pay ā¬530 million (around $600 million) for sending European usersā data to servers in China, a breach of the European Unionās General Data Protection Regulation (GDPR). TikTok has six months to bring its data processing into compliance, pending any possible appeal.
The Irish Data Protection Commission (DPC) found that TikTok violated GDPR laws because it couldnāt guarantee that data transferred to China would be protected to a standard equivalent to the EUās. The court singled out Chinaās anti-terrorism and counter-espionage laws as potential risks that Chinese authorities could access European usersā data.
The video app was fined ā¬485 million for sending the data to China, and ā¬45 million for its privacy policy failing to adequately explain the data transfers. TikTok updated its privacy policy in 2022, and the court deemed that new policy ācompliant.ā The company has also promised to invest ā¬12 billion (about $13.6 billion) in data centers in the EU, but that wasnāt enough to sway the court.
Throughout the inquiry TikTok insisted that user data was only remotely accessed from China, and not stored on servers there. Last month the company informed the court that it had discovered that ālimitedā European data had in fact been stored in China, and has since been deleted. DPC deputy commissioner Graham Doyle warned that āfurther regulatory actionā may be required for that additional breach.
This is the third-largest GDPR fine yet, with only Meta and Amazon ordered to pay more. TikTok, which has its European headquarters in Ireland, has already been given a hefty GDPR penalty from the Irish court before, receiving a $367 million bill in 2023 for how it processes childrenās data.
The ruling comes as TikTokās US business remains in limbo. The app was banned in the USĀ over fears surrounding its data security and possible control by Chinese authorities, and will have to find a US buyer to continue operating. Last month Donald Trump signed a second 75-day pause on the ban, as his ongoing trade war with China appears to have delayed efforts to negotiate a sale of the appās US arm with Chinese owner ByteDance.