TikTok has been fined €530 million for the unlawful transfer of European users’ personal data to China and for a lack of transparency with its users.
Ireland’s Data Protection Commission (DPC) stated that TikTok violated key EU data protection regulations by transferring European users’ data to China without ensuring that it would be safeguarded under Chinese surveillance laws.
For the first time taking a clear stance on data transfers to China, the regulator said TikTok failed to adequately assess the implications of Chinese legislation on the surveillance of Europeans’ data.
These laws, which grant the Chinese government broad authority to compel companies to hand over data, are “fundamentally different from EU standards,” TikTok acknowledged during the investigation.
The DPC also found that TikTok violated transparency rules between 2020 and 2022 by not informing users that their personal data was being transferred to China. Although TikTok updated its privacy policy in 2022 and now “complies with requirements,” the violations had already occurred.
The company was fined €485 million for the data transfer and €45 million for insufficient transparency in its privacy policy.
This is the third-largest fine ever issued under the EU’s General Data Protection Regulation (GDPR). Since TikTok’s EU headquarters are in Ireland, the Irish DPC is the lead supervisory authority for enforcing data protection rules.
Although TikTok has long claimed it does not store EU or US user data on Chinese servers, in April it disclosed to the regulator that in February it discovered “a limited amount of EEA user data” had in fact been stored in China.
Deputy Commissioner Graham Doyle of the Irish DPC said the regulator takes this revelation “very seriously.” While TikTok has claimed to have deleted the data from Chinese servers, the DPC is considering “what further regulatory action may be justified.”
TikTok has been given six months to either bring its data processing practices into full compliance with EU privacy regulations or to cease all data transfers to China.
The company said it “strongly disagrees” with the DPC’s findings and plans to appeal. TikTok pointed to its €12 billion investment in Project Clover — a European initiative to build local data centers for EU-based storage — and other privacy safeguards.
The DPC acknowledged the project but stated it was not sufficient to alter its decision.
TikTok warned that the DPC’s ruling “creates the risk of a precedent with far-reaching consequences for companies and entire industries operating globally,” and “deals a blow to the European Union’s competitiveness.”
