TikTok had maintained that it did not store EEA user data on servers in China, however, it later said that was untrue.
The Irish Data Protection Commission (DPC) has launched another inquiry into TikTok after the company found evidence that it disclosed inaccurate information to the watchdog during its last investigation.
The DPC started probing TikTok back in 2021, concerned over the Chinese-owned social media platform’s data transfer practices when it came to users in the European economic area (EEA).
In essence, the EU places strict security requirements on companies that transfer user data from the region to a third country.
Concluding the four-year-long investigation earlier this year, the DPC found that TikTok had breached the EU General Data Protection Regulation (GDPR) by failing to verify, guarantee and successfully demonstrate that the personal data of EU users was given the same level of protection when remotely accessed by employees in China that it would have been in the EU.
The social media platform got fined €530m as a result.
In a statement at the time, TikTok said that the ruling set a precedent with “far reaching consequences” for global companies.
It said that the decision didn’t consider the company’s “stringent” data security measures featured in Project Clover – its billion-euro data security initiative. TikTok has appealed against the fine in Irish courts.
Inaccurate information
Throughout the previous inquiry, TikTok had maintained that it did not store EEA user data on servers located in China.
The company said that the data could only be accessed by TikTok staff in China through remote access.
However, the company said that in February of this year it discovered evidence of “limited” EEA user data stored on Chinese servers, and informed the DPC of its findings in April.
The DPC’s late April fine does not take this into account, and today (10 July), the watchdog has announced a new inquiry to determine whether the company complied with the GDPR when transferring EEA user data into China.
Among other concerns, the inquiry will consider if TikTok has been accountable and transparent about third-country data transfers. SiliconRepublic.com has reached out to TikTok for comments.
In a statement earlier this year, DPC deputy commissioner Graham Doyle said that the watchdog is taking the recent developments “very seriously”.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
In 2023, TikTok was fined €345m after the DPC found that the social media giant did not comply with GDPR rules relating to the processing of children’s data.
That fine, however, has also been appealed by TikTok in both Ireland, as well as with the Court of Justice of the European Union.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
