Ireland’s Data Protection Commission (DPC) has launched a fresh inquiry into TikTok’s transfers of personal data to Chinese servers, it said Thursday, following on from its investigation that led to a €530 million fine against the company in April. The Irish regulator in April was informed by TikTok of an issue that meant a limited amount of EU user data had been stored on servers in China, an issue it said it discovered in February. The discovery contradicted the firm’s long-held position that personal data of EU users was only accessed remotely by the platform’s staff in China. But it came only just before the investigation concluded. Because of this, the DPC did not investigate it fully. The regulator in April fined TikTok for not sufficiently protecting EU personal data from Chinese state surveillance. The DPC earlier this year expressed “deep concern” that TikTok submitted “inaccurate information to the inquiry.” In a statement on Thursday, it said it had decided to open a new inquiry into the personal data transfers to servers in China after consulting with other data protection authorities in Europe. The Irish regulator said the inquiry will focus on whether TikTok has complied with its obligations under the EU’s General Data Protection Regulation, including articles relating to accountability, transparency, cooperation with supervisory authorities and compliance with rules around data transfers outside of the EU. TikTok was notified earlier this week about the Irish DPC’s decision to launch a fresh inquiry. The company has been contacted for comment.

WhatsApp plans to roll out a new advertising model in the coming months, but the company has told Ireland’s privacy regulator that it won’t affect the EU until next year. WhatsApp owner Meta announced the launch of new features in WhatsApp’s “Updates” tab on Monday, including targeted advertisements and a subscription model. It said the features would start to appear for users “over the next several months.” The announcement immediately raised concern among privacy organizations, in particular the fact that Meta will also use “ad preferences and info” from across people’s Facebook and Instagram accounts, where they are linked to WhatsApp. Speaking to reporters on Thursday, the Irish Data Protection Commission, responsible for enforcing the EU’s General Data Protection Regulation against Meta, said that it has been informed by WhatsApp that its advertising model won’t roll out in the EU until 2026. “That new product won’t be launching [in] the EU market until 2026. We have been informed by WhatsApp and we will be meeting with them to discuss any issues further,” said Commissioner Des Hogan. He added that the advertising model will be discussed with other data protection authorities “so that we can reflect back any concerns which we have as European regulators.” A spokesperson for WhatsApp confirmed that the advertising model is a “global update, and it is being rolled out gradually around the world.” Meta said in the announcement that the new features are built “in the most privacy-oriented way possible,” and has emphasized that sharing of data between WhatsApp, Instagram and Facebook will only happen when users have opted in to having their accounts linked. The U.S. social media giant previously paused the rollout of flagship artificial intelligence technology in the EU over privacy concerns from the Irish regulator. Commissioner Dale Sunderland said that regarding WhatsApp’s advertising model, they “haven’t had that sort of conversation” with the company. “We’re still early days, we’ll engage as we do with every other new feature, new issue that they bring to us … and at this stage, it’s too early to say what, if any, will be any red line issues,” he said.

BRUSSELS — The European Union’s most iconic tech law was long thought to be untouchable. Those days are over. The EU executive on Wednesday will present its plan to amend the General Data Protection Regulation, GDPR for short, to ease reporting requirements for small and cash-strapped businesses. That same evening, EU officials are negotiating the final details of a separate law that’s meant to fix some of what’s seen as the GDPR’s original design flaws. It’s the latest law to fall victim to the European Commission’s drive to slash red tape and “simplify” EU legislation for the benefit of businesses and growth. The EU’s landmark economic report by former Italian Prime Minister Mario Draghi warned in September that Europe’s complex laws were preventing its economy from keeping up with the United States and China. Draghi singled out the GDPR in particular as hampering innovation. Digital rights groups and EU insiders often praise the GDPR for setting the global standard for the protection of privacy. For many businesses, though, it is seen as a symbol of costly, burdensome EU rules. But changing the GDPR threatens to topple a delicate balance between privacy activists and business lobbies in Brussels. Mario Draghi singled out the GDPR in particular as one of the laws hampering innovation. | Teresa Suarez/EFE via EPA Negotiations on the GDPR from 2012 to 2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since it took effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war. The Commission has preempted some of those worries, saying its simplification proposals will be limited to easing reporting requirements and won’t touch the underlying principles of the GDPR.   A review of the law last summer showed “the need for greater support [for] businesses, especially SMEs, in their compliance efforts,” Justice Commissioner Michael McGrath said.   Emails seen by POLITICO earlier this month showed the proposal is expected to extend reporting exemptions currently reserved for SMEs (with fewer than 250 employees) to mid-cap companies (with fewer than 500 employees). It would also create more exemptions for these smaller businesses, freeing them from keeping records or preparing privacy impact assessments. On Wednesday evening, negotiators will head into final crunch talks to agree on extra rules to speed up GDPR investigation procedures. The new rules aim to spur sluggish cross-border data protection probes, which can drag on for years and often involve Big Tech companies. The goal is to set clearer ground rules for how national data protection regulators work together, clarify the rights of complainants and those being investigated during the process, and, crucially, set concrete deadlines for investigations.  According to four people familiar with the negotiations, most of the text has already been agreed, and the main things left to be hammered out on Wednesday evening are the length of deadlines and judicial remedies.   The EU is unlikely to stop there in its efforts to trim its famed privacy law. When consulting companies and experts about Wednesday’s proposal, the Commission said there could be “possible future reflection on the application of the GDPR.” In a separate consultation about an upcoming Data Union Strategy, it also name-checked the GDPR as one law on the table for possible “consolidation.”  And countries have asked the EU executive to clarify how the new Artificial Intelligence Act interacts with the GDPR, according to a document obtained by POLITICO. Pieter Haeck contributed reporting.

EU privacy regulators have for the first time taken aim at Beijing’s sweeping surveillance laws in a ruling that threatens to cut off data pipelines with China to protect Europeans.  Ireland’s powerful privacy regulator slapped TikTok with a €530 million fine on Friday, ruling it illegally sent data to China and couldn’t guarantee this was safe from government snooping. The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. Friday’s ruling means the “screw is turning” on data flows to China, said Joe Jones, research director at the International Association of Privacy Professionals, which represents people working in the world of privacy globally. “We’ve had over a decade of EU-U.K., EU-U.S. fights and sagas on [data flows]. This is the first time we’ve seen anything significant on any other country outside of that transatlantic triangle — and it’s China,” said Jones. Most high-level enforcement of the EU’s General Data Protection Regulation (GDPR) has so far targeted American tech giants, as Europe and the United States have bickered over legal protections for personal data sent across the Atlantic.  Chinese surveillance and data privacy breaches remained out of the EU’s crosshairs but the growth in popularity and EU presence of big Chinese players has now cast a spotlight on Beijing’s techno-authoritarian tendencies.  Earlier this year, six Chinese companies (AliExpress, SHEIN, Temu, WeChat and Xiaomi as well as TikTok) were the target of complaints filed with European data protection authorities by Austrian privacy group Noyb, founded by privacy activist Max Schrems.  The third-largest fine ever for a breach of the EU’s data protection rulebook, Friday’s decision by Ireland’s Data Protection Commission highlights that China’s laws are fundamentally at odds with European data protection principles. The fact that the Irish decision was backed by all European data protection authorities with no objections is “pretty significant,” Jones said. “I expect the question of where data can flow, and how, will quickly become part of the conversation on competitiveness.” TikTok, in its response, said the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.” The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. | Erik S. Lesser/EFE via EPA The ruling, and especially the fact that TikTok had been storing a limited amount of European user data on Chinese servers, is also likely to prick the ears of U.S. authorities which are trying to force a sale of TikTok from Chinese parent ByteDance to a U.S. owner. The U.S. has similar concerns over how Chinese authorities can access Americans’ data. TikTok has repeatedly insisted it does not store U.S. data in China. THE €530 MILLION QUESTION TikTok has been working for years to stave off a heavy fine. Companies sending EU data to China don’t have an overarching legal framework for this as they would for territories such as the U.S. — instead they rely on individual contracts, through which China-based companies receiving EU data pledge to follow EU protections.  Two years after the Irish investigation was launched, TikTok also unveiled a €12 billion plan called Project Clover to assuage EU concerns over Chinese surveillance through the app. This centered around keeping European users’ data on servers in Europe and allowing a European security company far-reaching access to audit cybersecurity and data protection controls. Just this week, TikTok confirmed a €1 billion investment in a new data center in Finland.  The question now being asked by TikTok and other European businesses sending data to China is: If specific contracts and locating data servers in the EU is not enough to please regulators, then what is?   TikTok said on Friday it was “disappointed to have been singled out” despite it relying on the “same legal mechanism employed by thousands of other companies providing services in Europe.” “If the extensive measures implemented under Project Clover … as well as independent, third-party monitoring are deemed insufficient, it’s reasonable to ask: what would be considered sufficient?” said Christine Grahn, TikTok’s head of public policy and government relations for Europe. TikTok now has six months to find a way to make its data transfers to China compliant with the GDPR or shut off the flow of EU data to China entirely.   The company has said it plans to challenge the decision, which will delay the six-month ultimatum. But any business taking a similar legal approach to TikTok will now be in the dark about how it can legally send data to China. ‘GREY ZONE’ Chinese laws like the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law give the government sweeping powers to order Chinese companies to hand over data. Tim Rühlig, senior analyst for Asia and Global China at the European Union Institute for Security Studies said that there is currently a legal “gray zone” in terms of how those surveillance laws apply to data stored outside of China. “It’s a one-size-fits-all clause that says organizations [and] natural persons of China have to comply with security services when asked something. I have a hard time seeing a Chinese company saying, ‘Sorry that that piece of data that you’re asking for lies on a European server,’” he said. Rogier Creemers, lecturer in Modern Chinese Studies at Leiden University, said it was “notoriously difficult to monitor” how often Chinese authorities actually use these powers, but the risk that EU citizen data will be snooped on is “not zero.”  Although the Irish regulator’s decision is specifically related to TikTok’s data handling practices, Creemers said that other companies sending data to China will “definitely reassess their own compliance strategies with the GDPR, and whether those compliance strategies will need to be revised.”

TikTok has to pay €530 million in penalties because it sent the personal data of Europeans to China illegally and wasn’t transparent enough with users, Ireland’s powerful privacy regulator said Friday. The Irish Data Protection Commission (DPC) said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws. Taking a stance on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws — which give the Chinese government sweeping powers to order companies to hand over data — “materially diverge from EU standards,” TikTok acknowledged during the inquiry. The regulator also said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.” The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules. TikTok had for years claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.” TikTok has been given six months to bring its data processing practices in line with the EU’s privacy rules, or suspend all data transfers to the country. TikTok said it “strongly contest[s]” the Irish DPC’s findings and plans to appeal in full. “Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by Tiktok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a written statement. TikTok pointed to its €12 billion investment in Project Clover, which is rolling out data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project but said it was not enough to sway its decision. Grahn emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.” She said that the Irish DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”