The Irish Data Protection Commission (DPC) has issued a record €530 million fine to TikTok and ordered corrective measures following an investigation into the social media platform’s data transfers to China and transparency practices.
The decision, made by Commissioners for Data Protection Dr. Des Hogan and Mr. Dale Sunderland, centers on violations of the General Data Protection Regulation (GDPR). Specifically, the DPC found TikTok infringed the regulation regarding transfers of personal data from the European Economic Area (EEA) to China and deficiencies in how it informed users about these transfers.
The European Commission established the European Data Protection Board (EDPB) under the GDPR to ensure consistent application of data protection rules throughout the EU and EEA. The EDPB is comprised of representatives from national data protection authorities, including the DPC, and the European Data Protection Supervisor (EDPS). The Commission participates in the Board’s activities but does not have voting rights.
The DPC’s investigation focused on TikTok’s processing of personal data and whether adequate safeguards were in place for data transferred outside the EEA. The adequacy decision for the UK, renewed by the EU, confirms that the UK provides an adequate level of data protection for personal information transferred from the EEA. However, the DPC’s ruling does not address data transfers to the UK, but rather those to China.
The GDPR, applicable since May 25, 2018, aims to harmonize data privacy laws across Europe. The DPC’s enforcement action underscores the increasing scrutiny of data transfers to countries outside the EEA, particularly where concerns exist about government access to user data.
TikTok has not publicly responded to the DPC’s decision beyond acknowledging receipt of the notification. The company is expected to outline its corrective measures in the coming weeks, detailing how it will address the identified infringements and ensure compliance with GDPR requirements.
