by Temitope Oladeji
02/05/2025
TikTok has been hit with a €530 million fine by Ireland’s Data Protection Commission (DPC) for unlawfully disseminating European user data to China and failing to be transparent about its data handling practices.
The penalty marks the third-largest fine ever issued under the EU’s General Data Protection Regulation (GDPR).
In a landmark decision, the DPC concluded that TikTok breached core GDPR principles by sending European data to China without ensuring adequate protection against Chinese surveillance laws.
The regulator stated that the company failed to properly assess the implications of China’s sweeping data access laws. These laws compel companies to surrender user information upon government request, legislation that TikTok itself admitted significantly diverges from EU privacy standards.
The investigation found that from 2020 to 2022, TikTok failed to inform users that their data was being transferred to China.
Although the company updated its privacy policy in 2022 to reflect these practices, the DPC determined that earlier non-disclosures constituted a serious transparency violation.
As a result, TikTok was fined €485 million for unlawful data transfers and an additional €45 million for transparency failures.
The social media platform, which has its European headquarters in Ireland, now has six months to bring its data processing activities into full compliance with European privacy law or suspend all data transfers to China.
The case marks the DPC’s first formal stance on data transfers to China, setting a potentially precedent-setting benchmark for future enforcement actions across the EU.
TikTok has contested the ruling and announced plans to appeal.
The Chinese company said, “We strongly disagree with the DPC’s decision, particularly its failure to recognize the robust safeguards we’ve implemented,” said Christine Grahn, TikTok’s Head of Public Policy and Government Relations for Europe.
She argued that TikTok is being unfairly targeted despite using the same legal frameworks employed by countless other tech firms operating across Europe.
The company pointed to its €12 billion investment in Project Clover, a major initiative aimed at localizing data storage within the European Union, as evidence of its commitment to privacy compliance.
However, the DPC acknowledged these efforts and concluded they could not mitigate the risks associated with Chinese data access laws.
In April, TikTok informed the regulator that it had discovered in February that a “limited” amount of data belonging to users in the European Economic Area (EEA) had been stored on servers in China.
Although TikTok has expressed that this data has since been deleted, Irish DPC Deputy Commissioner Graham Doyle noted that the matter remains under serious review and further regulatory action is being considered.
Grahn emphasized that TikTok has never received a request from Chinese authorities for European user data, nor has it provided such data to Shanghai.
She warned that the DPC’s ruling could have “far-reaching consequences” for globally operating businesses and may undermine the EU’s competitiveness in the digital economy.