TikTok: Irish Enforcement Action Could Affect 'Thousands of Other Companies'
An Irish Data Protection Commission (DPC) decision to fine TikTok $600 million for General Data Protection Regulation (GDPR) breaches (see 2505020001) highlights the increasing scrutiny on transfers to and from a broader range of countries than just the U.S., EU and U.K., IAPP Research Director Joe Jones said Friday.
Sign up for a free preview to unlock the rest of this article
The ruling could set a precedent with "far-reaching consequences" for companies and industries across Europe that operate globally, said Christine Grahn, TikTok head of public policy & government relations, Europe.
The DPC said TikTok's transfer mechanism, standard contractual clauses (SCC), wasn't sufficient to give personal data from the European Economic Area protections essentially equivalent to those in Europe. TikTok, meanwhile, said the regulator singled it out for using the same SCCs that many other countries use without complaint.
Under the GDPR, the DPC said, TikTok was required to assess if Chinese law guaranteed an essentially equivalent level of protection to EU law but failed to do so. In fact, the watchdog said, the company's assessment of Chinese law "set out how aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law."
Specifically, the DPC said, China's anti-terrorism, counter-espionage, cybersecurity and national intelligence laws diverge significantly from EU standards. TikTok's failure to adequately assess the level of protection offered by Chinese law not only affected the company's ability to choose appropriate safeguards but also prevented it from verifying and guaranteeing the appropriate level of protection, the DPC said.
TikTok slammed the decision, saying, among other things, that the platform "followed the EU's own rules" and conducted "detailed assessments with advice from external law firms and experts."
Moreover, the Irish DPC failed to substantively consider the extensive safeguards implemented under TikTok's Project Clover, Grahn blogged. "We are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe." Many other organizations operating globally use SCCs, but unlike some, TikTok clearly explains the mechanism in its privacy policy and to its European users, she said.
The commission circulated a draft decision to other data protection authorities in February (see 2502240038). In its Friday ruling, it said there were no objections.
The watchdog has slapped substantial fines on other platforms in recent years, including LinkedIn (see 2410240008), WhatsApp (see 2301190005) and Meta (see 2301040014). In 2023, it fined TikTok $368 million for wrongful processing of children's personal data on the platform (see 2309150013).
The decision "sends a strong signal to TikTok and other platforms that they must comply with EU data protection rules," emailed European Consumer Organisation (BEUC) Digital Policy Head Maryant Fernandez. The fact that the inquiry took four years echoes the wait BEUC is experiencing with its complaints from its members: "As long as the cases are on hold, so is the protection of consumers online."