The Irish Data Protection Commission (DPC) is expected to impose a fine exceeding €500 million on TikTok’s parent company, ByteDance, for unlawfully transferring European user data to China for analysis. This is anticipated to be the third largest GDPR fine, following Meta’s €1.2 billion and Amazon’s €746 million penalties. Acting as TikTok’s primary European regulator, the Irish DPC is likely to finalise its decision by the end of April, concluding a 2021 investigation that revealed Chinese engineers accessed and analysed European user data.
The investigation revealed that ByteDance violated the General Data Protection Regulation (GDPR) by transferring European user data to China. Former Data Protection Commissioner Helen Dixon had previously indicated that some of TikTok’s EU data might be accessible to Chinese teams. This marks the second significant penalty against the company, following a €345 million fine in 2023 for breaches related to handling data from users under 18, including default public settings, the Family Pairing feature, weak age verification, and steering users towards more privacy-invasive options.
The timing of the fine is particularly critical, as ByteDance faced a deadline in early April in the United States to agree on the sale of its U.S. operations to avoid a ban. President Donald Trump, speaking to the press aboard Air Force One, mentioned that the deal could be announced soon and raised the possibility of easing tariffs on China if Beijing approves the transaction. The primary sticking point remains the TikTok algorithm: while U.S. investors want it to remain in American hands, the Chinese government firmly opposes its inclusion in any deal.
Sources:
1.
Samuel Stolton
2.
drg.korisnik
3.
Ann O’Dea
