TikTok faces fresh accusations from European data protection authorities over continued transfers of user data to China and unauthorized tracking across applications.
Norway’s Data Protection Authority released a statement on Friday stating that TikTok continues to transfer data from European users to China, despite prior regulatory measures. Norwegian users received notifications this week informing them that their personal data remains accessible to TikTok employees in China. Tobias Judin, section head at the Norwegian authority, said, “The practice could have negative consequences for privacy since Chinese legislation could potentially require that the data be shared with Chinese authorities.” Judin added, “At the same time, it is difficult to predict whether this data will actually be handed over to Chinese authorities in the future.”
The Norwegian alert followed a warning from the Dutch Data Protection Authority on December 16. That authority cautioned users that TikTok keeps sending personal data to China while appealing previous regulatory decisions. Monique Verdier, deputy chair of the Dutch authority, stressed that users must grasp the implications, as young people are “often insufficiently aware” of data collection risks.
On December 17, the Austrian digital rights group noyb filed two complaints against TikTok, AppsFlyer, and Grindr. The first complaint claims TikTok illegally tracked a user’s activity across other apps, including Grindr, LinkedIn, and shopping cart additions, without consent. Data from these apps passed through AppsFlyer, an Israeli mobile analytics firm, to TikTok. The tracking captured information revealing sexual orientation, classified as sensitive data under Article 9 of the General Data Protection Regulation (GDPR), which permits processing only in exceptional cases. The user had not consented to this data sharing.
Kleanthi Sardeli, a data protection lawyer at noyb, said, “Like many of its US counterparts, TikTok increasingly collects data from other apps and sources.” Sardeli noted, “This allows the Chinese app to gain a full picture of people’s online activity.”
The second noyb complaint accuses TikTok of breaching GDPR Articles 12 and 15. These articles require controllers to provide users with transparent information and access to their full personal data upon request. TikTok’s download tool delivers only data the company considers most “relevant,” not the complete set, according to the complaint. TikTok later admitted this limitation.
Noyb demands that Austrian regulators order TikTok, AppsFlyer, and Grindr to stop these practices, supply the missing data, and levy fines under GDPR Article 83. Representatives from TikTok, Grindr, and AppsFlyer did not respond to requests for comment.
These developments follow a €530 million fine imposed on TikTok by Ireland’s Data Protection Commission in May. The penalty stemmed from breaches involving transfers of users’ personal data to China without equivalent EU protections for data accessed by Chinese staff. TikTok plans to appeal the decision, stating it could affect multinational data transfers broadly.
