TikTok has claimed Ireland’s decision to impose a €530 million fine will damage the European Union’s economic competitiveness and have “far-reaching consequences for companies and entire industries across Europe.”
In a statement today responding to the Irish Data Protection Commission’s (DPC) ruling, TikTok’s Head of Public Policy & Government Relations for Europe, Christine Grahn, said the decision “fails to fully consider” the company’s €12 billion Project Clover initiative, introduced in 2023 to improve data security.
“The decision fails to fully consider Project Clover, our €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere,” she said.
Grahn pointed out that the DPC itself acknowledged in its report that TikTok “has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”
“We disagree with the decision and plan to appeal in full,” she added.
TikTok criticised the DPC ruling for concentrating primarily on a period prior to the implementation of Project Clover, arguing it does not reflect current safeguards.
“With 175 million users across Europe, more than 6,000 employees, and a platform that has helped small businesses contribute €4.8 billion to GDP and over 51,000 jobs, TikTok is deeply integrated into the European economy,” Grahn stated.
She expressed concern that the DPC’s decision could set a troubling precedent for global companies operating in Europe, asserting: “This decision has implications not just for TikTok, but for any company in Europe operating globally.”
The DPC announced earlier today that it had fined TikTok €530 million following an investigation into the platform’s compliance with GDPR in relation to transfers of European Economic Area (EEA) user data to China.
Deputy Commissioner Graham Doyle explained that TikTok’s data transfers to China “infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” Doyle added.
The DPC also highlighted that TikTok had provided incorrect information during the inquiry, initially denying storage of EEA user data on servers located in China. TikTok later revealed limited EEA user data had been stored on Chinese servers, contrary to its earlier statements. Although TikTok informed the DPC that the data was subsequently deleted, Doyle confirmed the authority is considering further regulatory action in consultation with other EU Data Protection Authorities.
TikTok maintains it has strictly adhered to the EU’s data transfer rules by using Standard Contractual Clauses, a widely adopted legal framework for international data sharing.
“Beyond the DPC’s failure to substantively consider the extensive safeguards implemented under Project Clover, we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” Grahn said.
TikTok now faces an order to bring its data processing into compliance within six months, or face suspension of data transfers to China.