The Irish Data Protection Commission’s clampdown marks a turning point in how data flows are regulated globally.
TikTok is once again at the centre of a regulatory storm – and this time, it’s not just about dance videos or underage users. Ireland’s Data Protection Commission (DPC) is is to fine the app’s parent company, ByteDance, €530m for unlawfully transferring European user data to China – a decision that could have consequences well beyond the platform itself.
The fine is the third-largest issued under the EU’s General Data Protection Regulation (GDPR). It follows a lengthy investigation that concluded ByteDance breached EU rules by allowing engineers in China to access data belonging to EU citizens. According to sources cited by Bloomberg, the ruling will also order TikTok to stop these data transfers within a set timeframe.
Want to go deeper? Ask The Drum
This latest move adds to a growing list of high-profile fines from Ireland’s data watchdog, which has become the de facto privacy enforcer for Big Tech in Europe, owing to many firms basing their EU operations in Dublin. Previous record-breakers include €746m against Amazon and €1.2bn against Meta.
The decision also lands at a time when TikTok is facing pressure across the Atlantic. The US government has given ByteDance until early June to divest its American operations or face a nationwide ban. Amazon and AppLovin have emerged as surprise suitors, underscoring just how politicised the platform has become.
But while the headlines focus on TikTok, the real story may be the growing fragmentation of the global data economy.
Joe Jones, research director at the International Association of Privacy Professionals (IAPP), believes the decision marks a turning point in how data flows are regulated globally. “The halcyon days of data transfers, brief as they may have been, are behind us,” he says. “Regulatory, geopolitical and industry developments are carving the world up into greenlisted, redlisted and firewalled blocs for data sharing, making international data transfers a renewed priority and a heightened area of complexity for organisations and policymakers.”
Jones adds that scrutiny is no longer confined to the well-trodden triangle of Brussels, London and Washington. “We’re now seeing increasing focus and activity on transfers to and from a broader, more varied and more complex array of jurisdictions: China, India and Brazil, to name a few.”
And China, in particular, is coming under renewed pressure. “The screw is turning on restricting the flow of data to China, under the banner of privacy, national security and competitiveness interests,” Jones says. “The Irish DPC decision – with the backing of other EU privacy authorities – comes hot on the heels of newly-enacted US restrictions on data sharing with China and other ‘countries of concern’.”
The DPC’s ruling is not final and TikTok is expected to appeal. But it’s yet another sign that the once freewheeling world of data transfer is being reshaped by a heady mix of politics, security and privacy enforcement. And for marketers and tech firms alike, the message is clear: international data flows are no longer a back-office issue. They’re front and centre.