EU hits TikTok with $600 million fine over data transfers to China, company replies

TikTok has been fined 530 million euros (approx $600 million) by the European Union (EU), regulators have announced. The company, owned by Chinese tech giant ByteDance, has been found illegally sending the personal data of European users to China and failing to adequately ensure that this data was protected from potential access by Chinese authorities.
According to a report by news agency AFP, the penalty – one of the largest ever issued by the European bloc's data protection authorities – follows a thorough investigation into the legality of TikTok's data transfer practices.
Ireland's Data Protection Commission (DPC), which serves as the lead regulator for TikTok in Europe due to the company's European headquarters being located there, revealed that TikTok acknowledged during the probe that it had, in fact, hosted European user data in China.
“TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Graham Doyle, the DPC's deputy commissioner.
Furthermore, Doyle emphasised TikTok's failure to address the risk of potential access to Europeans' personal data by Chinese authorities under China's anti-terrorism, counter-espionage, and other laws, which TikTok itself identified as significantly different from EU data protection standards.
Despite the findings, TikTok has announced its intention to appeal the substantial EU fine. Christine Grahn of TikTok Europe insisted that the company has “never received a request” from Chinese authorities for European users' data and that “(TikTok) has never provided European user data to them.”
“We disagree with this decision and intend to appeal it in full,” she stated.
The social media platform, which has 1.5 billion users globally, has been under intense scrutiny from Western governments for several years due to concerns that user data could be exploited by China for espionage or propaganda purposes.
In 2023, the Irish DPC had already fined TikTok 345 million euros for violations of European rules concerning the processing of children's data.
The DPC's latest decision also found that TikTok breached requirements within the EU's General Data Protection Regulation (GDPR) by transferring user data to China. The ruling includes the 530 million euro administrative fine and mandates that TikTok bring its data processing practices into compliance with EU regulations within six months.
A significant portion of the fine, 45 million euros, was specifically imposed due to a lack of transparency between 2020 and 2022. During this period, TikTok allegedly failed to clearly inform users about the countries to which their data was being transferred or that it could be accessed from China.