This is not the first time it got into hot water in the European Union, but TikTok is caught between a rock and a hard place at the heart of a modern and increasingly acute dilemma
TikTok, which is owned by the Chinese company ByteDance, has been fined €530 million amid concerns that it fails to protects users’ information in line with European Union law by Ireland’s Data Protection Commissioner (DPC). TikTok has 175 million users in Europe and this is the second reprimand by the EU’s leading privacy authority, the DPC.
Some of the data is accessed remotely by staff in China which in the DPC’s view does not address the danger of Chinese authorities accessing the data under counter-espionage and other legislation.
But the matter which really seems to have riled the DPC is that in March, TikTok admitted that in the previous month, it had discovered “a limited amount” was stored in China but was deleted. “The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted,” DPC Deputy Commissioner Graham Doyle said.
The DPC added that during its four-year inquiry it had not found EU users’ data stored on servers in China.
Contesting
Naturally TikTok is strongly contesting the DPC’s findings, stating that it has never received a request for EU users’ data from the Chinese authorities, and has never provided data to them.
It also pointed out that it uses the EU’s own legal framework’s standard contractual clauses to grant only tightly controlled and limited remote access. It further argues that the Commission’s ruling does not fully take into account the data security measures initiated in 2023 to monitor remote access and ensure data originating in the EU stays within dedicate data centres in the EU and US.
Not a first offence
TikTok was fined €345 million in 2023 for its handling of children’s accounts, including failing to shield underage users’ content from public view.
Under the EU’s General Data Protection Regulation (GDPR), that also covers European Economic Area member states Iceland, Liechtenstein and Norway, the lead regulator for any given company can impose fines of up to 4% of its global revenue.
A modern dilemma
The debacle again highlights the dilemma faced by countries that amass, process and store data outside their domestic territories. The European Union can insist on compliance within the bloc and punish non-compliance with hefty fines, but what happens if the Chinese or US governments invoke their own laws to force access to European data from companies with headquarters in those countries?
Presumably Europe’s authority is trumped.
The US recognises the danger too, which is why it wants Tik Tok taken out of Chinese ownership or its use banned in the US (although the US President keeps extending the deadline) just as fear of espionage was among the reasons given for banning Huwei’s equipment in 5G infrastructure in the US and elsewhere.
Clearly US companies with operations in Europe are jittery too – clearly Microsoft is concerned about its European customers’ anxiety on this point, as shown by the diplomatic visit to Europe by Brad Smith, Microsoft’s top lawyer earlier this week designed to allay fears on several fronts.
On the upside, Microsoft knows a lot about waging long wars in court on both sides of the Atlantic.
