The Irish Data Protection Commission (DPC) has imposed a €530 million fine on TikTok, concluding a major inquiry into the social media giant's unlawful transfers of personal data belonging to European Economic Area (EEA) users to China, and its failure to meet key transparency obligations under the GDPR.
The investigation, conducted by the DPC in its capacity as the lead supervisory authority for TikTok in the EU, scrutinized the lawfulness of personal data transfers to China and whether users were properly informed about such transfers. The final decision, issued on May 2, 2025, found that TikTok violated Articles 46(1) and 13(1)(f) of the General Data Protection Regulation. In addition to the fine — €485 million for unlawful transfers and €45 million for transparency failures — TikTok has been ordered to bring its data processing practices into compliance within six months or face a suspension of its data transfers to China.
Key to the ruling was TikTok's failure to guarantee that the level of protection for EEA users' data accessed in China met the GDPR's “essential equivalence” standard. Although TikTok relied on Standard Contractual Clauses (SCCs) and claimed to have implemented supplementary safeguards, the DPC found the company's assessment of Chinese law — including the Anti-Terrorism Law, the National Intelligence Law, and the Cybersecurity Law — fell short of demonstrating sufficient protection from state surveillance and access.
TikTok argued that remote access from China did not constitute a transfer subject to these laws. However, the DPC noted that TikTok's own documentation acknowledged material divergences between Chinese and EU legal standards, and the company failed to conduct an adequate risk assessment or implement robust mitigation strategies during the time in question.
The investigation also revealed a serious lapse in data integrity. Although TikTok initially assured the DPC that EEA data was not stored on servers in China, the company admitted in April 2025 that limited data had, in fact, been stored there earlier in the year — contradicting earlier statements and prompting the DPC to consider further regulatory action.
Founded by Beijing-based ByteDance, TikTok has rapidly become one of the most influential digital platforms globally, particularly among younger demographics. In Europe alone, the app boasts over 175 million users and employs more than 6,000 staff.
TikTok plans to object
TikTok has strongly rejected the DPC's conclusions and announced plans to appeal the ruling in full. In a lengthy response, Christine Grahn, the company's Head of Public Policy & Government Relations for Europe, criticized the decision for focusing on a “select period from years ago” and overlooking TikTok's €12 billion “Project Clover” data security initiative. Launched in 2023, Project Clover includes European data centers, restricted access protocols, independent audits by NCC Group, and privacy-enhancing technologies such as encryption-on-access and differential privacy.
TikTok emphasized that it has never received a request for European user data from Chinese authorities and has never provided such data. It also noted that many multinational firms use the same SCC-based legal framework for data transfers to countries without adequacy agreements.
The DPC's enforcement follows mounting pressure from privacy advocates, including six formal GDPR complaints filed in January 2025 by noyb (None of Your Business), a European privacy group led by Max Schrems. These complaints, lodged across five EU member states, targeted TikTok, Xiaomi, AliExpress, SHEIN, Temu, and WeChat for allegedly transferring European users' data to China without sufficient safeguards.
Leave a Reply