It was in the air and, after a month of waiting, the final decision has arrived: the Irish Data Protection Commission (DPC) has inflicted on ByteDance, the TikTok's parent companya whirlpool bath, record fine of 530 million euros. The sanction, which comes after a months-long investigation, concerns the unlawful transfer of personal data of European users in China, without due compliance with the regulations on the protection of personal data.
The third highest fine ever issued by the Irish authority, after those inflicted on Amazon (746 million) and Meta (1,2 billion).
User data illegally transferred to China
The investigation focused on TikTok's compliance with the General Data Protection Regulation (GDPR), with particular attention to European user data transfers to China. TikTok is not rmanaged to ensure that the information was protected according to the standards required by the European Union. In fact, Chinese surveillance laws allow the government to access company data, a condition that does not meet the protection requirements set by the GDPR.
La fine of 530 million euros is divided in two components: 485 million for illicit data transfers and 45 million for lack of transparency towards users. The Irish Commission highlighted how TikTok has not carried out a adequate assessment of the impact of Chinese laws on data protection, thus violating European regulations.
Furthermore, the platform did not clearly and comprehensively inform users about data transfers to China, as required by the Data Protection Regulation.
TikTok Isn't Going Too Far and Promises Legal Battle
TikTok has claimed to be “strongly disagree” with the decision of the DPC and announced the intention to to appealThe company claims that the Commission has not taking into account the security measures already implemented, such as the “Clover Project”, which envisages the creation of data centres in Europe to locally store European users’ data.
The DPC stressed that these measures are not enough to ensure full compliance with the GDPR. TikTok also recently admitted that it had stored data of European users on servers in China, contrary to its initial statements. Although the company said it had deleted this data, the Irish regulator said it would look into further regulatory action.
Six months to comply or suspension of transfers
The European Union continues to maintain a strict position on personal data protection, stressing the importance of enforcing the law even at the cost of negatively impacting the business of global companies. TikTok has six months to adapt its practices of data processing to European regulations. Otherwise, the platform will be obliged to suspend all data transfers to China.
The DPC’s decision marks a turning point in the regulation of digital privacy, highlighting the determination of European authorities to defend users’ rights even in the face of pressure from multinational technology companies.
