TikTok has been fined €530 million ($601 million) by Ireland's Data Protection Commission (DPC) for illegally transferring European user data to China in violation of the European Union's General Data Protection Regulation (GDPR). The regulator warned that unless TikTok brings its data practices into compliance within six months, it will suspend the platform's cross-border data transfers.
The decision follows a four-year investigation into how TikTok, owned by Beijing-based ByteDance, handled European Economic Area (EEA) user data. "TikTok's personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," said Graham Doyle, deputy commissioner at the DPC.
The regulator also found that TikTok provided inaccurate information during the probe, initially claiming it did not store European user data on Chinese servers. However, in April, the company disclosed that it had discovered in February that limited EU user data had in fact been stored in China-contradicting its previous assurances.
Doyle added that the DPC is taking these developments "very seriously" and is "considering what further regulatory action may be warranted" in consultation with EU privacy authorities.
TikTok said it strongly disagrees with the DPC's findings and plans to appeal. "The decision fails to fully consider these considerable data security measures," said Christine Grahn, TikTok's head of public policy and government relations for Europe. She said the ruling focused on "a select period from years ago" before the implementation of Project Clover, the company's €12 billion initiative to localize data and strengthen protections through three new European data centers.
Grahn added, "The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm."
TikTok has stated it has never received a request from Chinese authorities for EU user data and has never provided such data. Nevertheless, the DPC emphasized that TikTok failed to conduct adequate assessments on risks posed by Chinese laws on anti-terrorism, counterespionage, and national intelligence, which "materially diverge" from EU privacy standards.
The investigation, launched in September 2021, also cited a lack of transparency in TikTok's privacy policies at the time. The company did not specify that personal data could be accessed remotely by staff in China or that processing occurred across data centers in Singapore and the United States.
TikTok has previously faced regulatory scrutiny in the EU. In 2023, it was fined hundreds of millions of euros in a separate case related to child data protection violations.
Under GDPR, EU user data can only be transferred outside the bloc if equivalent safeguards are in place. The DPC concluded that TikTok failed to meet this threshold and failed to address legal access by Chinese authorities to personal data, raising concerns over potential government surveillance.
