Ireland’s Data Protection Commission (DPC) on Friday fined popular video-sharing platform TikTok €530 million ($601 million) for infringing data protection regulations in the region by transferring European users’ data to China.
“TikTok infringed the GDPR regarding its transfers of EEA [European Economic Area] User Data to China and its transparency requirements,” the DPC said in a statement. “The decision includes administrative fines totaling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months.”
The order, in addition, requires the company to suspend data transfers to China within the time period.
The penalty is the result of an investigation that was launched in September 2021 that probed the company’s transfer of personal data to China and its compliance with stringent data protection laws regarding data transfers to third countries.
Commenting on the decision, DPC Deputy Commissioner Graham Doyle said TikTok’s personal data transfers to China went against Article 46(1) of the General Data Protection Regulation (GDPR) because it failed to verify and guarantee that the personal data of EEA users was given equivalent privacy protections to that afforded within the bloc.
Doyle further added that TikTok did not address concerns arising from potential access by Chinese authorities under anti-terrorism and counter-espionage laws in the country and which “materially” diverged from European Union standards.
The DPC also faulted TikTok for providing erroneous information during the inquiry to the effect that it did not store EEA users’ data in Chinese servers, only to disclose to the watchdog last month that it identified an issue in its systems in February 2025, as a result of which limited EEA data had indeed been stored on servers in China.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” Doyle said.
Christine Grahn, TikTok’s head of public policy and government relations for Europe, said the decision failed to take into account Project Clover, a data security initiative aimed at protecting European user data, and that the ruling does not reflect the current safeguards put in place.
“The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them,” Grahn said.
This is the second fine levied by the DPC against the ByteDance-owned company. In September 2023, TikTok was handed a €345 million (then about $368 million) fine for violating GDPR laws in relation to its handling of children’s data.
