DPC Deputy Commissioner opens up on TikTok €530m GDPR fine

During a recent IAPP LinkedIn Live session, Irish Data Protection Commission (DPC) Deputy Commissioner Cian O'Brien discussed the €530 million fine levied against TikTok for EU General Data Protection Regulation (GDPR) violations, concerning the illegal transfer of personal data to China. O'Brien explained that employees at ByteDance, TikTok's parent company, were granted access to European Economic Area (EEA) user data for business purposes, which led to the systemic, repetitive, and continuous transfer of personal data to China. He clarified that even though TikTok did not directly store large quantities of EU user data on servers in China, the remote access granted constituted a significant transfer of this data.

The DPC's investigation examined TikTok's privacy policies between 2021 and 2023 and concluded that TikTok did not adequately inform users that their data would be transferred outside the EEA. Although TikTok updated its privacy policy during the investigation, the DPC's decision was based on aspects of its 2021 policy, which stated that data was stored on servers outside of China and was subject to limited remote access by TikTok entities in China.

As a result of its findings, the DPC has ordered TikTok to bring its data transfer operations into compliance with GDPR obligations within six months or potentially face a suspension of data transfers to China. O'Brien noted that while TikTok acknowledged differences between EU and Chinese data protection standards, it did not sufficiently define the scope of these differences or consider them in the context of the specific data transfers. TikTok argued that because the data was stored outside of China, the divergences in Chinese law did not result in a lack of essential equivalence in data protection.

In response to the fine, TikTok pointed to its Project Clover initiative, which now stores European users' data in a dedicated European data enclave, arguing that the decision focused on its data transfer standards before this implementation. However, O'Brien stated that the DPC did consider the changes made by TikTok when reaching its enforcement decision and determined that it was "still necessary" to order the company to strengthen its compliance measures.