The Irish Data Protection Commission (DPC), the European Union’s leading privacy regulator, has fined TikTok 530 million euros (around $600 million) over concerns about how the platform protects user information.
The regulator ordered TikTok to stop transferring data to China if the data processing is not brought into line with EU law within six months, Reuters reports.
The DPC said TikTok, owned by Chinese company ByteDance, had failed to demonstrate that the personal data of EU users – which are remotely accessed by staff members from China – is protected to the high level required by EU law.
The platform, popular especially among teenagers and with 175 million users across Europe, has not addressed the issue of potential access to data by Chinese authorities, according to the regulator, particularly in the context of counterintelligence laws that differ significantly from European standards.
TikTok said it was strongly contesting the regulator’s decision and was already using the EU legal framework, including the so-called standard contractual clauses, to enable strictly controlled and limited access to data. The company plans to appeal the decision.
They also said the decision did not take into account security measures introduced in 2023, which include independent monitoring of remote access and storage of EU users’ data in dedicated centers in Europe and the US.
“TikTok has never received a request from the Chinese authorities for access to user data from the EU, nor has it ever handed over such data,” the company said in a statement.
The regulator also revealed that, despite claiming during a four-year investigation that it did not store EU users’ data on servers in China, TikTok found in February this year that a small amount of data was temporarily stored in China – but later deleted.
“The DPC takes this information very seriously and we are considering further regulatory action,” Deputy Commissioner Graham Doyle said.
This is the second time TikTok has been fined by the DPC – the previous fine was €345 million in 2023 for breaches of regulations relating to the processing of data of children and minors.
As the EU’s lead regulator for large technology companies with regional headquarters in Ireland, the DPC has also fined companies such as Microsoft, LinkedIn and Meta since 2018, using its powers under the General Data Protection Regulation (GDPR).
Under the GDPR, the regulator can impose fines of up to 4 percent of a company’s global revenue.
