Written by: Haim Ravia, Dotan Hammer
The Irish Data Protection Commission (DPC) recently issued a hefty fine against TikTok Technology Limited due to its practices involving transferring personal data to the People’s Republic of China (PRC) through remote access of staff members and failing to meet data transfer-related transparency requirements.
The decision follows an investigation that found that, despite TikTok’s claims, it held personal data of Europeans on a server located in the PRC. The transfer could have been lawful had TikTok implemented supplementary measures effective in providing protection essentially equivalent to that guaranteed within the EU.
A major point in the DPC’s decision is TikTok’s failure to adequately assess the levels of privacy protections provided by Chinese laws such as the Chinese Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law, and the National Intelligence Law that “materially diverge from EU standards.” The DPC rejected TikTok’s stance that remote access isn’t a transfer subject to these laws.
TikTok’s data transfer deficiencies make up €485 million of the €530 million fine. The remaining amount was issued due to TikTok’s privacy policy not indicating the PRC as one of the countries to which personal data will be transferred. This was determined to be a violation of the transparency requirement in the GDPR. The DPC also gave TikTok six months to comply with legal requirements or cease all data transfers to the PRC.
Click here for the DPC’s announcement.
