The Irish Data Protection Commission (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the personal data of users in the European Economic Area (EEA) to China, violating the European Union’s GDPR data protection regulations.
The administrative fines imposed by the Irish watchdog consist of a fine of €485 million for its infringement of Article 46(1) GDPR regarding the lawfulness of the data transfers to China and a fine of €45 million for its infringement of Article 13(1)(f) regarding the lack of transparency.
TikTok was also ordered to bring its data processing into compliance within six months, with the DPC planning to suspend all data transfers to China if the company fails to update its policies in time.
DPC officials pointed out that the issue goes beyond the location of the servers and is also about the risk that Chinese authorities could access the data of European users under domestic laws concerning terrorism and espionage, which contravene EU standards.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said DPC Deputy Commissioner Graham Doyle.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
The DPC added that TikTok claimed during the investigation that it did not store users’ data from the European Economic Area (EEA) on servers located in China.
However, in April 2025, TikTok revealed that it had discovered in February 2025 that some EEA user data had been stored on servers in China, contradicting the company’s earlier statements.
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously,” Doyle said in a Friday statement. “Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
TikTok to appeal DPC’s decision
However, Christine Grahn, TikTok’s Head of Public Policy & Government Relations for Europe, said the company disagrees with the DPC’s decision and that it’s planning to appeal it because it fails to consider TikTok’s new Project Clover data security initiative.
“Under Project Clover, TikTok has implemented advanced privacy-enhancing technologies (PETs), such as encryption-on-access and differential privacy, to ensure that non-restricted data is de-identified before it can be accessed by employees in China,” Grahn said. “Crucially, independent cybersecurity experts at NCC Group have verified that these safeguards are working as intended.”
This is the third-largest fine imposed by the Irish data protection authority so far, after sanctioning Amazon with 746 million euros for its targeted behavioral advertising practices and Facebook with 1.2 billion euros for transferring data of EU-based users to the United States.
Previously, TikTok was slapped with a €345 million ($368 million) fine by the DPC for violating the privacy of children while processing their data and employing “dark patterns” during the registration process and while posting videos, nudging users toward selecting options that compromised their privacy.
In January 2023, TikTok was also fined €5 million ($5.4 million) by France’s data protection authority (CNIL) for failing to adequately inform users about its cookie usage and making it challenging to opt-out.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
-
-
-
-
-
-
-
-
