TikTok has been fined €530 million by Ireland’s Data Protection Commission (DPC) for unlawfully transferring European user data to China and failing to meet EU transparency standards—marking one of the largest fines ever issued under the General Data Protection Regulation (GDPR).
The penalty follows a multi-year investigation into how TikTok, which is owned by Beijing-based ByteDance, handled data from users across the European Economic Area (EEA). As TikTok’s European headquarters is in Dublin, the DPC acts as its lead EU privacy regulator.
Key findings: failure to protect and inform
The DPC found TikTok had breached Article 46(1) of the GDPR by failing to verify, guarantee, and demonstrate that European user data—remotely accessed by staff in China—was given a level of protection essentially equivalent to that required within the EU. TikTok’s own legal analysis submitted during the inquiry acknowledged that Chinese laws, including the Anti-Terrorism Law and the National Intelligence Law, diverge materially from EU data protection standards.
Deputy Commissioner Graham Doyle said:
“TikTok did not address potential access by Chinese authorities to EEA personal data… TikTok failed to undertake the necessary assessments.”
A separate violation of Article 13(1)(f) of the GDPR concerned TikTok’s lack of transparency. Until its privacy policy was updated in December 2022, TikTok did not inform users that their data could be accessed remotely from China or even identify China as a recipient country for data transfers. The transparency breach covers the period from July 2020 to December 2022.
Erroneous evidence and further scrutiny
Adding to the severity of the ruling, TikTok admitted in April 2025 that it had discovered—in February—that some EEA user data had in fact been stored on servers in China, contradicting prior assurances to the regulator. TikTok stated the data had since been deleted, but the DPC is considering further regulatory action.
Corrective orders and timeline
TikTok has been given six months to bring its processing operations into compliance. If it fails to do so, the DPC has ordered a suspension of all data transfers to China.
The total fine includes €485 million for the unlawful data transfers and €45 million for transparency failures.
TikTok responds: appeal planned
TikTok has strongly contested the findings and confirmed it will appeal. In a blog post, Christine Grahn, TikTok’s head of public policy for Europe, said the decision “does not reflect the safeguards now in place,” referring to the company’s €12 billion “Project Clover” data localisation initiative, which includes EU-based data centres and stricter access controls.
She also noted that:
“The DPC itself recorded that TikTok has never received a request for European user data from Chinese authorities, and has never provided such data to them.”
However, TikTok has previously acknowledged that staff in China can access user data for operational purposes, including algorithm checks and spam detection.
Broader geopolitical backdrop
The ruling heightens global scrutiny of TikTok at a time when Western regulators are increasingly wary of potential Chinese government access to personal data. In the US, the platform is still facing the prospect of a ban unless its Chinese parent company divests its American operations.
