The Irish Data Protection Commission (DPC) has issued a landmark €530 million (approx $600 million) fine against TikTok Technology Limited (TTL) following an extensive inquiry in the handling of personal data of users of the TikTok platform in the EEA to the People’s Republic of China (“China”).
The imposed penalty, one of the largest ever imposed under the General Data Protection Regulation (GDPR), follows a four-year investigation by Ireland’s Data Protection Commission (DPC), the EU’s Lead Supervisory Authority for TikTok due to its European headquarters in Dublin.
Table Of Contents
Deadline for the Compliance
The decision also imposes a six-month deadline for the popular short video-sharing app to bring its processing into full compliance with EU law. If the company fails to meet this timeframe, it could face a suspension of all transfers of EEA user data to China.
“TikTok infringed the GDPR regarding its transfers of EEA [European Economic Area] User Data to China and its transparency requirements. The decision includes administrative fines totaling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months,” the DPC said in a statement on Friday.
According to DPC’s investigation, TikTok, owned by Chinese tech giant ByteDance, failed to adequately protect the personal data of EU users accessed by employees in China as required within the EU.
Specifically, TikTok violated key provisions of the regulation, namely Article 46(1) of the GDPR, by not adequately validating that Chinese laws and practices offered “essentially equivalent” protection within the EU. It also violated Article 13(1)(f) by failing to properly inform users of the data transfers and the nature of processing involved.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee, and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Graham Doyle, Deputy Commissioner, while emphasizing the seriousness of the findings.
TikTok had identified Chinese laws—including the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law, and the National Intelligence Law—as materially diverging from EU data protection standards. Despite this, the DPC said that the company did not implement effective supplementary measures or conduct a complete legal analysis, as required by GDPR. Such legislation could enable government access to personal data, thereby undermining EU privacy protections.
The DPC added that TikTok claimed throughout the inquiry that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok disclosed that it had discovered in February 2025 that some EEA data had, in fact, been stored on Chinese servers, contradicting the company’s previous statements.
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” Doyle added.
Christine Grahn, TikTok’s Head of Public Policy & Government Relations for Europe, responded by stating that the company disagrees with the DPC’s decision and it has never provided European user data to Chinese authorities and used standard legal mechanisms for data transfers.
Company to Appeal
The company also plans to appeal the decision, arguing that it does not adequately take into account the significant data security improvements introduced through TikTok’s new “Project Clover”, a data governance initiative aimed at improving compliance.
This is not the first time TikTok has faced scrutiny over data privacy. In 2023, the DPC fined TikTok €345 million for failing to protect children’s privacy, including setting accounts of users aged 13 to 17 to public by default, and failing to provide sufficient transparency information about privacy settings to child users, under the EU’s GDPR rules.
