TikTok has been fined €530 million ($601 million) by Ireland’s Data Protection Commission (DPC) for violating GDPR rules by transferring European user data to China without proper safeguards. The penalty comes after an investigation revealed the platform failed to ensure that user data received privacy protections equivalent to those in the European Economic Area (EEA).
The DPC also ordered TikTok to suspend all data transfers to China within six months and to bring its data practices into full compliance with General Data Protection Regulation (GDPR).
TikTok’s Data Transfers Breached EU Privacy Laws
The fine follows a probe that began in September 2021, focusing on TikTok’s cross-border data transfers and compliance with Article 46(1) of the GDPR. This rule requires that any transfer of personal data outside the EEA must ensure an adequate level of data protection.
According to DPC Deputy Commissioner Graham Doyle, TikTok’s failure to verify and enforce privacy safeguards in line with EU standards—especially concerning access by Chinese government agencies—constituted a significant breach.
“TikTok infringed the GDPR regarding its transfers of EEA user data to China and its transparency requirements,” Doyle stated. “The company also failed to address the risks associated with Chinese anti-terrorism and counter-espionage laws, which diverge materially from EU data protection standards.”
Compounding the issue, TikTok initially denied that any EEA user data was stored on servers in China. However, the company later admitted that a system issue in February 2025 resulted in limited European user data being stored in China. While TikTok claims the data has now been deleted, the DPC is consulting with other EU data protection authorities to determine whether additional regulatory action is needed.
“This discrepancy raises serious concerns about TikTok’s transparency and accountability,” Doyle added.
TikTok Responds, Cites Project Clover
In response to the ruling, Christine Grahn, TikTok’s Head of Public Policy and Government Relations for Europe, defended the platform’s data practices and pointed to Project Clover, a data security initiative designed to safeguard European user data.
Grahn criticized the DPC’s decision for failing to account for the new measures TikTok has implemented. “The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from Chinese authorities, and has never provided data to them,” she said.
Project Clover, launched to address EU privacy concerns, includes efforts to store European data within the region and limit overseas access. However, regulators remain skeptical, especially in light of TikTok’s recent admission about Chinese data storage.
This isn’t the first time TikTok has faced fines from EU regulators. In September 2023, the DPC fined TikTok €345 million ($368 million) for GDPR violations related to the processing of children’s data on the platform. The fine highlighted the company’s failure to protect minors from data exploitation and unauthorized profiling.
Combined with the current €530 million fine, TikTok has now faced nearly €900 million in GDPR-related penalties within two years.
EU Regulators Crack Down on Tech Giants
The TikTok ruling reflects a broader push by EU authorities to hold tech companies accountable for data privacy violations. Regulators have been increasingly aggressive in enforcing GDPR compliance, particularly with platforms handling vast amounts of personal and location-based data.
Under GDPR, companies found guilty of serious violations can be fined up to 4% of their global annual revenue, giving regulators powerful tools to protect user rights.
For TikTok, owned by China-based ByteDance, the pressure to build trust with European users continues to mount. With growing scrutiny over its handling of personal data and potential influence from the Chinese government, TikTok will likely face further investigations and regulatory challenges in the region.
