TikTok fined millions for illegally sending users' data to China

TikTok has been fined €530m (£452m) because it was illegally sending user data to China, Ireland's privacy watchdog said on Friday.

Ireland's Data Protection Commission found the social media app's data transfers to China broke strict data privacy rules in the EU. It also fined the company for not being transparent with users about how their data was being processed.

TikTok has been ordered to comply with the rules within six months. The Data Protection Commission is TikTok's powerful lead regulator in the EU because TikTok's European headquarters are based in Dublin.

"TikTok failed to verify, guarantee and demonstrate that the personal data of [European] users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," Deputy Commissioner Graham Doyle said in a statement. TikTok plans to lodge an appeal and said the decision focused on a "select period" that ended in May 2023 and "does not reflect the safeguards now in place".

It specifically referred to a data localisation enterprise called Project Clover which saw three new data centres built in Europe."The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm," said Christine Grahn, TikTok's European head of public policy and government relations. Read more from Sky News:NHS may offer weight loss jabs over counterTrump's national security adviser to leave roleNorth Korean hacker caught red-handed TikTok's parent company is based in China and it has been under scrutiny in the EU over how it handles users' data.

There have long been concerns, also voiced by US politicians, over how Chinese authorities could access and use that data. The watchdog said TikTok failed to address "potential access by Chinese authorities" to European users' personal data.

Chinese laws justifying that access, on grounds like anti-terrorism, counter-espionage, cybersecurity and national intelligence, were identified as "materially diverging" from EU standards. Ms Grahn said TikTok has "has never received a request for European user data from the Chinese authorities, and has never provided European user data to them." Under the EU rules, known as the General Data Protection Regulation, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection.

Ms Grahn said TikTok was being "singled out" despite using the "same legal mechanisms" that thousands of other companies in Europe do. The investigation, which opened in September 2021, also found TikTok's privacy policy at the time did not name third countries, including China, where user data was transferred.

The watchdog said the policy, which has since been updated, failed to explain that data processing involved "remote access to personal data stored in Singapore and the United States by personnel based in China"..