Ireland's Data Protection Commission (DPC) imposed a €530 million fine on TikTok for transferring European user data to China, violating the EU's General Data Protection Regulation (GDPR).
The DPC found that TikTok failed to ensure an adequate level of data protection for European users' data transferred to China, where the company's main headquarters are located. The lack of verification of equivalent protection against potential access by Chinese authorities under Chinese laws (counter-terrorism, espionage etc.) was a key violation.
TikTok stated that the decision focuses on a specific period before 2023 and disputes the claim that it did not conduct assessments of potential Chinese authorities' access to data.
This decision is viewed by TikTok as potentially setting a precedent with significant consequences for globally operating companies in Europe. The transfer of personal data is a complex issue for tech companies, requiring authorization under European regulations.
The DPC investigated because TikTok's European headquarters is in Ireland. The decision was also reviewed by the European Data Protection Supervisor, with no objections raised.
This fine is one of the largest imposed under the GDPR but smaller than those issued to Meta (€1.2 billion) and Amazon (€746 million) for similar data protection violations.