TikTok is facing a new European Union privacy investigation concerning the transfer of user data to China, according to regulators.
The Data Protection Commission (DPC) has launched this inquiry following a previous investigation that concluded earlier this year with a €530 million (£456 million) fine. The initial probe found that the video-sharing application exposed users to potential surveillance by allowing remote access to their data from within China.
As TikTok’s lead data privacy regulator within the 27-nation EU, the Irish national watchdog oversees compliance due to the company’s European headquarters being located in Dublin.
During the initial investigation, TikTok initially represented to the regulator that it did not store European user data in China, only granting remote access to the data to staff based in China.
Subsequently, TikTok revised its statement, admitting that some data had indeed been stored on servers located in China.
The DPC responded at the time indicating that further regulatory action would be considered.
“As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok,” the watchdog announced.
“The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers,” the regulator clarified, referencing the European Union’s General Data Protection Regulation (GDPR), its stringent privacy law.
TikTok, owned by China’s ByteDance, is under intense scrutiny in Europe regarding its handling of user data, fueled by concerns among Western officials about potential security risks.
TikTok emphasized that it self-reported the data issue to the DPC as part of its “Project Clover,” a localization project establishing three European data centers to address security concerns.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” the company said in a statement.
“We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”
Under the GDPR, European user data can only be transferred outside the EU if safeguards are in place to ensure an equivalent level of data protection.
While 15 countries or territories are recognized as maintaining data privacy standards on par with the EU, China is not among them.