In a significant enforcement action, the European Union has fined TikTok €530 million ($600 million) for violating the General Data Protection Regulation (GDPR) by unlawfully transferring European users’ data to China.
The penalty, imposed by Ireland’s Data Protection Commission (DPC), underscores the EU’s commitment to safeguarding personal data and ensuring transparency in cross-border data flows.
Key Findings from the DPC Investigation
The DPC’s four-year investigation revealed that TikTok failed to implement adequate safeguards to protect EU users’ personal data from unauthorized access by staff in China. The regulator criticized TikTok for its lack of transparency regarding data transfers and its failure to ensure protections equivalent to EU standards.
Notably, TikTok initially denied storing data in China but later admitted in February 2025 that limited data had indeed been stored on Chinese servers, contradicting prior statements to the DPC.
TikTok’s Response and Compliance Measures
TikTok has announced plans to appeal the decision, arguing that the issues identified predate its ongoing “Project Clover,” which involves building three data centres in Europe to enhance data security. The company maintains that it has never provided European user data to Chinese authorities and uses standard legal mechanisms for data transfers.
However, the regulator stated concerns over potential Chinese government access to user data and that TikTok had supplied inaccurate information during the probe.
Broader Implications and Regulatory Context
This fine marks TikTok’s second major penalty from the DPC, following a €345 million fine in 2023 for violations involving children’s data. The DPC has also fined other tech giants like LinkedIn, X, and Meta since acquiring fining authority under the GDPR in 2018.
The case highlights broader regulatory scrutiny as global tensions rise, particularly regarding China’s influence and ongoing US legislative pressure on TikTok to divest its American operations.
Next Steps for TikTok
The DPC has ordered TikTok to bring its data processing activities into compliance with EU regulations within six months, or face suspension of such data transfers. This includes ceasing the transfer of personal data to China unless adequate safeguards are implemented.
TikTok’s appeal process will be closely watched, as it may set precedents for how international data transfers are regulated under the GDPR.
This enforcement action underscores the EU’s stringent stance on data privacy and the importance of transparency and accountability in handling personal data, especially when it involves cross-border transfers to jurisdictions with differing legal standards.
