TikTok has been fined €530 million ($599 million) by Ireland’s Data Protection Commission (DPC) for violating European Union privacy laws by unlawfully transferring users’ personal data to China and failing to maintain transparency with its users.
The penalty marks the third-largest fine issued under the EU’s General Data Protection Regulation (GDPR). The DPC found that TikTok, whose EU headquarters is in Ireland, breached data protection rules by failing to guarantee the safety of European user data under Chinese surveillance laws, which allow authorities sweeping access to company-held information.
In a landmark ruling on data transfers to China, the regulator stated that TikTok inadequately assessed the risks posed by Chinese legislation. The company reportedly admitted that China’s legal standards “materially diverge” from those of the EU.
Between 2020 and 2022, TikTok also breached GDPR transparency obligations by failing to inform users that their data was being transferred to China. Although it revised its privacy policy in 2022 to address this gap, the DPC said the updates came too late. Of the total fine, €485 million relates to the illegal data transfers, while €45 million pertains to the lack of transparency.
TikTok had previously asserted that it did not store European user data on servers in China. However, in April this year, it disclosed that a limited amount of data from the European Economic Area had been stored in China, prompting further scrutiny. While the company claims the data has since been deleted, Irish regulators are still considering additional action.
The DPC has given TikTok six months to either bring its data processing practices into full compliance or halt all data transfers to China.
TikTok has rejected the findings and announced plans to appeal. Christine Grahn, TikTok’s Head of Public Policy and Government Relations for Europe, criticised the DPC for overlooking the company’s existing safeguards and claimed the decision unfairly targets TikTok while other firms use similar legal mechanisms for data transfers.
TikTok highlighted its €12 billion investment in “Project Clover,” an initiative aimed at localising user data in European data centres. However, the DPC said this effort did not affect its ruling.
Grahn also warned that the decision could set a dangerous precedent for global businesses operating in Europe, potentially undermining the EU’s digital competitiveness.
