2 min read

TikTok fined €530M over EU data transfers

Farah Amod May 12, 2025 12:54:24 PM

Breaches

TikTok fined €530M over EU data transfers

TikTok has been hit with a €530 million GDPR fine for unlawfully transferring European user data to China and failing to ensure proper privacy safeguards.

What happened

The Irish Data Protection Commission (DPC) has issued a €530 million fine (over $601 million US dollars) against TikTok for violating the European Union’s General Data Protection Regulation (GDPR). The platform was found to have unlawfully transferred personal data of users in the European Economic Area (EEA) to China and failed to provide adequate transparency about these transfers.

The fine includes €485 million for breaching GDPR Article 46(1), which governs international data transfers, and €45 million for violating Article 13(1)(f) concerning transparency obligations. TikTok has been ordered to bring its data processing practices into full compliance within six months or risk a suspension of all data transfers to China.

Going deeper

While TikTok claimed that it did not store EEA user data on Chinese servers, the company later admitted in April 2025 that some user data had in fact been stored in China as recently as February. This contradicted earlier statements and raised red flags among EU regulators.

The DPC’s concerns go beyond server location. Officials pointed to the risk that Chinese authorities could access the data under domestic laws related to counterterrorism and espionage, laws that significantly diverge from EU standards. DPC Deputy Commissioner Graham Doyle stated that TikTok failed to verify and demonstrate that EEA users’ data, when accessed by staff in China, received “essentially equivalent” protections as required by the GDPR.

TikTok was also criticized for not conducting proper assessments of the legal risks related to the Chinese government's access to EEA data. Following the revelation about the data stored in China, the DPC is now considering further regulatory actions.

What was said

DPC Deputy Commissioner Graham Doyle explained: “TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

In response, Christine Grahn, TikTok’s Head of Public Policy & Government Relations for Europe, announced that the company plans to appeal the ruling: “The decision fails to take into account the progress TikTok has made under Project Clover, which includes privacy-enhancing technologies like encryption-on-access and differential privacy.”

She added that independent cybersecurity experts from NCC Group had verified the effectiveness of TikTok’s new safeguards.

In the know

This is the third-largest GDPR fine issued by Ireland’s data protection authority, following previous penalties against Amazon and Facebook. It signals intensifying regulatory pressure on tech platforms transferring data outside the EU, particularly to countries like China, where domestic laws may conflict with European privacy protections.

TikTok has already faced several penalties in Europe. In 2023 alone, it was fined €345 million for violating children’s privacy and €5 million by France’s CNIL for issues related to cookie transparency.

Why it matters

As regulatory scrutiny increases, companies handling European user data must prioritize compliance, not just in data storage but also in transparency and cross-border access. The TikTok case shows that vague assurances and delayed disclosures are no longer sufficient under GDPR.