After a decision by the Data Protection Commission Ireland as the responsible supervisory authority, it is now clear: The Tikok mother company had lied to the supervisory authorities for years. Now she should pay a punishment, which is very welcomed by data protectionists. At least some data from EU users were stored on servers in China, as Tikkok operator bytedance had to admit in April. Supposedly only in February 2025 had Bytedance itself found that the previous information was incorrect.
Bytedance had to grant China storage
“The DPC takes these recent developments very seriously,” says Graham Doyle, the deputy chairman of the Irish data protection supervisory authority. “Even if Tikok has announced the DPC that the data has now been deleted, we together with the other EU data protection supervisory authorities will check which further regulatory measures are necessary.” Tikkok had also publicly claimed that user data that is subject to the General Data Protection Regulation would not be stored in China: for example, it is said on one day “Myths and Facts” page of the operator bytedance that data would be stored in the USA, Singapore and Malaysia, but not in China. There have been doubts about this for a long time. With the admission in the Irish data protection procedure, the company’s previous claim has now been refuted.
In the amount of 530 million euros
In the procedure that has been running since 2021, the DPC has now given a fine of 530 million euros against the TikTok operator. Media reports became known at the beginning of April that a punishment in this amount was in the room. The Irish supervisory authority is responsible for enforcing the General Data Protection Regulation due to the company’s European seat.
Applauder data protection officers and Wissing
“The record penalty against Tikkok is correct and sets a clear sign: Our European rules apply to everyone – also for international digital groups,” said Federal Minister for Digital and Verh Volker Wissing on Friday afternoon. The outgoing minister emphasized: “Even the ongoing procedures of the EU Commission against Tikkok and other platforms must be emphasized in order to consistently counter risks such as disinformation and manipulation.”
The Berlin state data protection officer Meike Kamp, responsible for the German supervisory authorities, also welcomed the procedure of the Irish counterparts and emphasized the close cooperation with the authorities there. It was “amazed that Tikkok was now admitted shortly before the end of the investigation – and contrary to the other statements in the procedure – that the data was not only accessible from China, but that European data was also saved directly on Chinese servers.”
GDPR and storage in China hardly compatible
The DPC ordered that TikKok had to bring its data processing into line with the GDPR within six months and had to post data transfers to China if this does not take place in accordance with GDPR. To do this, bytedance would have to prove that the protection of the data will also take place comparable to the EU protection level even when storing there.
The legislation of the People’s Republic itself stands in the way: The totalitarian one -party state approves massive access rights and compensation obligations for Chinese citizens in security law and whether the law of China plays a greater role in cases of national security, many experts doubt. Data transfer to the People’s Republic would only be permitted through technical measures to protect EU data.
However, Tikkok failed to “check, guarantee and demonstrate that the personal data of users from the European Economic Area, to which employees in China access from a distance, enjoy a level of protection that essentially corresponds to the level of protection guaranteed in the EU,” says the DPC. Tikok has thus not taken into account a “potential access by Chinese authorities to personal data from the European Economic Area under Chinese laws on the fight against terrorism, the defense against espionage and other laws.”
Data center in Norway is supposed to set up a problem
Bytedance sees itself treated unfairly
In a response to the decision of the DPC Ireland, Tikkok operator bytedance is wrongly faced with the pillory. By contrary to the DPC, Bytedance, in the use of the standard contract clauses, has very well made the necessary ratings. Bytedance wants to contest the decision of Irish data protection supervision.
Access by Chinese authorities to data from the EU categorically excludes the company: “It has never received a request from the Chinese authorities for data from European users and has never given them data from European users,” writes Christine Grahn, head of the Public Policy department at bytedance Europe. The problem with data transmitted to China was found by its own teams and reported to the DPC, which Bytedance wants to be understood as exemplary. The operator issues billions for secure infrastructure and independent monitoring of the data flows, the statement continues.
Discover more from Apple News
Subscribe to get the latest posts sent to your email.