EU privacy regulators have for the first time taken aim at Beijing’s sweeping surveillance laws in a ruling that threatens to cut off data pipelines with China to protect Europeans.
Ireland’s powerful privacy regulator slapped TikTok with a €530 million fine on Friday, ruling it illegally sent data to China and couldn’t guarantee this was safe from government snooping.
The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China.
Friday’s ruling means the “screw is turning” on data flows to China, said Joe Jones, research director at the International Association of Privacy Professionals, which represents people working in the world of privacy globally.
“We’ve had over a decade of EU-U.K., EU-U.S. fights and sagas on [data flows]. This is the first time we’ve seen anything significant on any other country outside of that transatlantic triangle — and it’s China,” said Jones.
Most high-level enforcement of the EU’s General Data Protection Regulation (GDPR) has so far targeted American tech giants, as Europe and the United States have bickered over legal protections for personal data sent across the Atlantic.
Chinese surveillance and data privacy breaches remained out of the EU’s crosshairs but the growth in popularity and EU presence of big Chinese players has now cast a spotlight on Beijing’s techno-authoritarian tendencies.
Earlier this year, six Chinese companies (AliExpress, SHEIN, Temu, WeChat and Xiaomi as well as TikTok) were the target of complaints filed with European data protection authorities by Austrian privacy group Noyb, founded by privacy activist Max Schrems.
The third-largest fine ever for a breach of the EU’s data protection rulebook, Friday’s decision by Ireland’s Data Protection Commission highlights that China’s laws are fundamentally at odds with European data protection principles.
The fact that the Irish decision was backed by all European data protection authorities with no objections is “pretty significant,” Jones said. “I expect the question of where data can flow, and how, will quickly become part of the conversation on competitiveness.”
TikTok, in its response, said the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”
The ruling, and especially the fact that TikTok had been storing a limited amount of European user data on Chinese servers, is also likely to prick the ears of U.S. authorities which are trying to force a sale of TikTok from Chinese parent ByteDance to a U.S. owner.
The U.S. has similar concerns over how Chinese authorities can access Americans’ data. TikTok has repeatedly insisted it does not store U.S. data in China.
The €530 million question
TikTok has been working for years to stave off a heavy fine.
Companies sending EU data to China don’t have an overarching legal framework for this as they would for territories such as the U.S. — instead they rely on individual contracts, through which China-based companies receiving EU data pledge to follow EU protections.
Two years after the Irish investigation was launched, TikTok also unveiled a €12 billion plan called Project Clover to assuage EU concerns over Chinese surveillance through the app. This centered around keeping European users’ data on servers in Europe and allowing a European security company far-reaching access to audit cybersecurity and data protection controls. Just this week, TikTok confirmed a €1 billion investment in a new data center in Finland.
The question now being asked by TikTok and other European businesses sending data to China is: If specific contracts and locating data servers in the EU is not enough to please regulators, then what is?
TikTok said on Friday it was “disappointed to have been singled out” despite it relying on the “same legal mechanism employed by thousands of other companies providing services in Europe.”
“If the extensive measures implemented under Project Clover … as well as independent, third-party monitoring are deemed insufficient, it’s reasonable to ask: what would be considered sufficient?” said Christine Grahn, TikTok’s head of public policy and government relations for Europe.
TikTok now has six months to find a way to make its data transfers to China compliant with the GDPR or shut off the flow of EU data to China entirely.
The company has said it plans to challenge the decision, which will delay the six-month ultimatum. But any business taking a similar legal approach to TikTok will now be in the dark about how it can legally send data to China.
‘Grey zone’
Chinese laws like the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law give the government sweeping powers to order Chinese companies to hand over data.
Tim Rühlig, senior analyst for Asia and Global China at the European Union Institute for Security Studies said that there is currently a legal “gray zone” in terms of how those surveillance laws apply to data stored outside of China.
“It’s a one-size-fits-all clause that says organizations [and] natural persons of China have to comply with security services when asked something. I have a hard time seeing a Chinese company saying, ‘Sorry that that piece of data that you’re asking for lies on a European server,’” he said.
Rogier Creemers, lecturer in Modern Chinese Studies at Leiden University, said it was “notoriously difficult to monitor” how often Chinese authorities actually use these powers, but the risk that EU citizen data will be snooped on is “not zero.”
Although the Irish regulator’s decision is specifically related to TikTok’s data handling practices, Creemers said that other companies sending data to China will “definitely reassess their own compliance strategies with the GDPR, and whether those compliance strategies will need to be revised.”
The post Why TikTok ruling sparks trouble for EU-China relations appeared first on Politico.
