TikTok Fined €530 Million by Irish Watchdog Over Unlawful Data Transfers to China

TikTok is facing a €530 million penalty from Ireland’s Data Protection Commission (DPC) for mishandling the personal information of users across the European Economic Area (EEA). The fine comes from two major violations: the company’s failure to ensure lawful data transfers to China and a lack of clarity in informing users about how their data was being processed.

This enforcement marks one of the largest GDPR fines to date and signals a broader regulatory pushback on global tech platforms managing cross-border data flows.

Data Transfers Breached GDPR Safeguards

The DPC concluded that TikTok transferred personal data from the EEA to China without putting in place sufficient safeguards to ensure the level of privacy required under EU regulations. Under European data law, exporting personal data beyond EU borders is only allowed when the recipient country provides comparable levels of data protection.

The investigation concluded that TikTok didn’t properly evaluate whether Chinese legal systems—particularly those permitting broad governmental access to data—could uphold such standards. The DPC found that TikTok’s data transfer safeguards did not meet the standards required by the GDPR for protecting personal data sent outside the EU.

Stored Data Found in China Despite Previous Denials

Although TikTok had publicly maintained that European user data remained outside Chinese jurisdiction, this changed earlier in 2025. During an internal audit in February, the company discovered that some user data from the EEA had indeed been housed in China. This discovery directly conflicted with TikTok’s earlier statements and was not promptly disclosed to Ireland’s data watchdog.

Deputy Commissioner Graham Doyle expressed concern over the timing of this disclosure, suggesting it could influence further regulatory scrutiny. The delayed admission, he noted, undermines trust and transparency, particularly in an area as sensitive as user data security.

Platform Ordered to Update Its Data Practices

In addition to the financial penalty, TikTok has been ordered to bring its data transfer operations into full compliance with GDPR within six months. If the company fails to make the necessary adjustments, the DPC warned that it may face additional restrictions, including a possible halt on all EEA data being moved to China.

The ruling also highlighted that TikTok’s existing safeguards did not go far enough in offsetting the risk of foreign surveillance, especially given China’s broad state access provisions under its national laws.

TikTok was also penalized for failing to clearly communicate where user data was going and who had access to it. Until late 2022, the platform’s privacy disclosures did not specify that personnel based in China could access European user data remotely. This lack of transparency violated GDPR provisions requiring users to be informed about where and how their data is being handled.

A distinct €45 million penalty was issued for TikTok’s lack of transparency, specifically addressing shortcomings in its privacy practices between July 2020 and December 2022.

TikTok Plans to Appeal, Citing Global Practices

TikTok said it would challenge the decision, arguing that it used legal tools—like Standard Contractual Clauses—widely accepted in international data transfers. The company also pointed to its ongoing investment in “Project Clover,” a multi-billion-euro initiative to localize European user data and reduce dependence on overseas processing.

Christine Grahn, TikTok’s Head of Public Policy for Europe, emphasized that no user data from Europe has ever been requested by Chinese authorities, and none has been handed over. She also warned that the DPC’s ruling could have broader consequences for other multinational firms using similar data transfer mechanisms.

Still, regulators held firm in their view that the measures TikTok had in place were insufficient to guarantee the level of protection European users are entitled to under the law.

This substantial fine reinforces the EU’s insistence on safeguarding personal data, especially when it crosses into jurisdictions with less stringent privacy frameworks. The decision underscores that vague assurances and partial safeguards are no longer enough.

As data sovereignty becomes a global concern, TikTok’s case may set the tone for how strictly international tech firms are held to account when dealing with European user data.

[Source]