A landmark final decision from Ireland's Data Protection Commission may bring a halt to EU data transfers by TikTok to China. In addition to a 530 million euro fine for unlawful transfers and lax transparency under the EU General Data Protection Regulation, TikTok faces a potential transfer ban if it does not take up prescribed corrective measures within six months.
Additionally, the DPC noted in a press release TikTok recently reported "limited (European Economic Area) User Data had in fact been stored on servers in China" despite consistent assertions to the contrary. The regulator indicated it is exploring further investigation or action against the new revelations.
Any potential evidence of Chinese data storage could present broader national security concerns as ByteDance, TikTok's Chinese-based parent company, is negotiating a divestment agreement with the U.S. government. Last month, U.S. President Donald Trump granted a second extension for the company to divest its operations in the U.S.
"TikTok's personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," DPC Deputy Commissioner Graham Doyle said in a statement.
He explained the assessment shortcomings resulted in TikTok's alleged failure to address data access by Chinese authorities under various national surveillance laws "identified by TikTok as materially diverging from EU standards.”
The initial TikTok inquiry began in 2021. The DPC indicated the company's new data storage disclosures came in April after first being discovered in February.
Doyle said that while the transferred data in question has since been deleted, the DPC is taking the matter "very seriously" and will hold conversations with fellow EU data protection authorities about next steps.
The DPC did not immediately release the text of the full decision. TikTok was notified of the final decision 1 May, which commences the period for corrective action, and already stated its intention to appeal.
The decision is unique in that it generated consensus among European Data Protection Board members and marked the first EU data transfer enforcement action involving data moving to a country besides the U.S.
TikTok's rebuttal
TikTok Head of Public Policy and Government Relations for Europe Christine Grahn issued a response, noting the DPC's decision "focuses on a select period from years ago" and "fails to fully consider" Project Clover, a multibillion-euro data security initiative focused on "strict access controls" and default storage of EU data in the bloc and the U.S.
"Beyond the DPC’s failure to substantively consider the extensive safeguards implemented under Project Clover, we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe," Grahn wrote. "Like many organisations that operate globally, TikTok has used the EU’s own legal framework, specifically, Standard Contractual Clauses to grant tightly controlled and limited access to employees in countries without data adequacy agreements."
The decision came a day after TikTok announced increased EU data storage capacity with a new 1 billion euro data center in Finland. The company previously erected storage facilities in Ireland and Norway under Project Clover.
With regard to the fresh allegations on Chinese-based data storage, a TikTok spokesperson told the IAPP the strides the company has made on data security measures under Project Clover helped uncover the issue it reported to DPC. They said the situation shows the secure localization initiative is "working as intended to protect EU user data."
"Our teams proactively discovered the issue through the comprehensive monitoring system TikTok implemented under Project Clover," the spokesperson added. "We acted immediately: deleting the data, updating our systems and promptly informing the DPC."
Joe Duball is the news editor for the IAPP.