A five million euro fine for privacy violations welcomes TikTok to an expensive club.
It’s not the first time the Chinese company has been fined for breaching EU data protection laws, and €5 million euros ($5.4 million) is still a long way off the €390 million euros ($421.9 million) fine that the Irish Data Protection Commission (DPC) slapped Meta with earlier this month.
But for TikTok, the latest penalty issued by the French privacy watchdog, National Commission for Computing and Liberties (CNIL), marks an important milestone.
The fine in question relates to the social media website’s cookie policy and how it made it far easier to accept cookies than to decline them. As a CNIL statement explained this month, upon visiting the TikTok website, “several clicks were necessary to refuse all cookies, against only one to accept them.”
Two days before the CNIL announced its fine, TikTok chief Shou Zi Chew was in Brussels meeting with officials, including Věra Jourová, vice president for values and transparency at the European Commission.
And given the recent scandal surrounding TikTok staff snooping on journalists and attempting to track them using their data, the stakes were high for Chew going into the discussions.
After their meeting, Jourová tweeted that she is counting “on TikTok to fully execute its commitments to go the extra mile in respecting EU law and regaining [the] trust of European regulators.” She added that “there cannot be any doubt that [the] data of users in Europe are safe and not exposed to illegal access from third-country authorities.”
Saying Goodbye to Fine-Free Days
While TikTok has stayed relatively under the EU radar compared to its U.S. Big Tech peers, the recent attention it has received from senior EU officials suggests that those days may now be over.
Outside of France, the platform is also facing two investigations by the Irish supervisory authority for the General Data Protection Regulation (GDPR), the Data Protection Commission (DPC), the first of which will examine the firm’s compliance with the EU’s GDPR in relation to how it processes the data of users under the age of 18.
The second probe will focus on the transfer of personal data to China and whether this move is in breach of the GDPR rules.
In the U.K., the firm is also facing a 27 million pound (about $33.1 million) penalty for processing the data of children under the age of 13 without the necessary parental consent. This topic remains one of the central themes of European privacy concerns around TikTok.
And before the DPC picked up the issue in Ireland and TikTok establishing offices in Dublin, the Dutch Data Protection Authority (DPA) had already imposed a fine of €750,000 euros ($808,950) on the firm for violating the privacy of young children.
Lessons From Meta
With TikTok now firmly in the EU’s regulatory spotlight, there are some important lessons it can learn from Big Tech firms like Meta that have been subject to intense DPC scrutiny for years.
In Meta’s most protracted GDPR dilemma, the DPC has repeatedly cautioned that exporting data to the U.S. by using catch-all contractual terms in its user agreements is against the law.
The legal quagmire of the EU’s data sovereignty policy has caused difficulties for Big Tech companies that rely on transatlantic data flows, with the likes of Google, Amazon and Microsoft all wrestling with the issue in one way or another.
Increasingly, such international businesses are turning to data localization to appease EU regulators and continue doing business in Europe without falling foul of GDPR rules.
In fact, from Amazon Web Service’s digital sovereignty pledge to Microsoft’s recently launched EU Data Boundary, 2022 was a turning point in how Big Tech firms approached international data flows.
And after years of fines and fraught relationships with the EU, a tacit agreement on data storage appears to be emerging that favors end users’ ability to have their data stored on servers based within the bloc.
Judging by statements made by TikTok, the Chinese company has also learned that it will also need to invest in EU data localization if it wants to stay in the DPC’s good books.
As the firm stated on its website last April, it is building a data center in Dublin from which it will house U.K. and European Economic Area user data “based on the principles of storing … TikTok user data locally [and] minimizing data flows outside of the region.”
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.