This week, a short-form video platform TikTok, owned by Chinese ByteDance, was sued by EU regulators once again for failing to sufficiently protect user data under EU law.
With 175 million users in Europe, it is no surprise the platform has been scrutinised through the the GDPR (General Data Protection Regulation) lens before. In 2023, the Data European Protection Board found that TikTok had infringed on the GDPR principle of fairness by processing personal data of children between the ages of 13 and 17. The registration process on the platform was also designed to nudge users to create public profiles while hiding options to post privately, which can have major negative impact on childrens’ privacy. This resulted in a 345 million euro fine for the company in addition to reprimand and compliance order.
“Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”
Now, TikTok has been fined once again by EU regulators for failing to protect EU users‘ data. This time, data could be accessed remotely from China, and some data was even found to have been stored there. This resulted in a 530 million euro fine together with a compliance order to rectify its data procession within six months.
DPC Deputy Commissioner Graham Doyle commented on the decision: “TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
TikTok will be appealing the EU’s decision, and has denied breaking GDPR laws in a response. At the same time, they claim to have put in place further digital security gateways, and that all European user data will be stored on European servers by default. The platform emphasises that it has been deeply integrated into the European economy and that “this ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale. It delivers a blow to the European Union’s competitiveness.”
The National Board of Trade Sweden agrees that data protection regulations such as the GDPR can have a negative effect on international trade due to cross-border data flows difficulties, regulatory uncertainties, and compliance costs for businesses. It has hindered productivity and global competitiveness – but it has set the tone for global data regulation and builds trust in the digital economy.
So while GDPR may indeed prove cumbersome for European businesses, it is also very much a reason why Europeans have so much faith in them. It provides a level playing field with equal rules for everyone on the market. Especially in an increasingly digital era where data is incredibly valuable for everyone, it is paramount that users remain in control of their data and that it is not used for bad business practices or even weaponised by governments.