Data selling has been in the news for many years, and this time, a social media platform, TikTok, has been fined EUR 530 million under the GDPR for the same. Reports say that this short video platform has transferred its European Personal Data to China. The Irish Data Protection Commission announced on the 2nd of May about the inquiry to examine the lawfulness of TikTok's transfers of personal data of users of the TikTok platform in the EEA to the People's Republic of China ("China").
The fines comes to know after the investigation revealed that TikTok had been sending user data to Chinese data centers, despite clear regulations under the General Data Protection Regulation (GDPR). The investigation was led by DPC, which concluded that the data breach was against EU laws. The regulatory body has released an order to TikTok, where they must bring data processing into compliance, or suspend its data transfer to China.
The DPC said in a statement that "TikTok infringed the GDPR regarding its transfers of EEA [European Economic Area] User Data to China and its transparency requirements." They also added, "The decision includes administrative fines totaling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months."
The Deputy Commissioner of DPC, Graham Doyle, commented that the data transfer was against Article 46(1) and Article 13(1)(f) of GDPR because it failed in two areas, one of which is the verification, and the second is to guarantee the personal data of EEA users. The core findings of the investigation consist of the lawfulness and the transparency that TikTok has breached.
Doyle said, "The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer E.U. Data Protection Authorities." In the same vein, Graham also noted that "The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them."
This ByteDance-owned company got the fine for the second time. The first fine came into existence in September 2023, for violating GDPR laws for dealing and handling children's data, and regarding this matter, they were fined €345 million (nearly $368 million at that time).
The Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, made a decision when they found such infringements by TikTok regarding the data transfer, and on the 21st of February 2025, submitted a draft against the GDPR cooperation mechanism as per Article 60 of the GDPR.
Are there any laws on DATA TRANSFER outside the EU?
By ensuring a high level of data protection, the transfer of personal information can be carried out, but it must meet the conditions laid down in Chapter V of GDPR.
- Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection ("Adequacy Decision").
- Under the GDPR where an organisation ("Data Controller") intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses.
- These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.
DPC Deputy Commissioner Graham Doyle later commented by continuing his statements, "As a result of TikTok's failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards."
TikTok's issue across the world
TikTok's parent company, ByteDance, is based in China. Still, the majority of its investors are international, which puts some internal stress on them because they have to comply with Chinese rules and regulations. Moreover, TikTok is banned in several nations for data infringement, vulgar media content, and other things, and some of the countries include India, Pakistan, Nepal, the French territory of New Caledonia, etc. Another great fear which American have while using tiktok is that, experts keeps questioning about the transparency of data transfers and the major fear is wether they can send it to Chinese government and following this, the former american president has also signed a law where they ensure Tiktok to "divest its US operations or Face a ban."