The Irish Data Protection Commission (DPC) has fined TikTok €530 million for breaching the EU General Data Protection Regulation (GDPR) by transferring personal data of European users to China without implementing adequate safeguards.
Additionally, the decision also found that TikTok failed to meet its transparency obligations by not clearly informing users about these data transfers.
The investigation revealed that TikTok allowed staff in China to access EU and EEA user data without ensuring adequate safeguards, violating Articles 5(1)(a), 5(1)(f), 12(1), 13(1)(f), and Chapter V of the GDPR.
This marks one of the largest fines ever imposed under the GDPR.
What did TikTok do wrong?
-
Data Transfers Without Adequate Protection:
TikTok failed to demonstrate that EEA user data accessed from China was protected at a level equivalent to that required under EU law. The company’s reliance on Standard Contractual Clauses (SCCs) and supplementary measures was found to be insufficient. -
Misleading Statements to the Regulator:
TikTok initially told regulators that EU user data was not transferred to China. However, it later acknowledged that personnel based in China had remote access to personal data stored in Singapore and the United States—information not disclosed in its 2021 Privacy Policy. In April 2025, TikTok further informed the DPC that limited EEA user data had, in fact, been stored on servers in China, contrary to its earlier evidence. -
Lack of Transparency:
The company’s privacy policy did not clearly inform users that their personal data, stored in Singapore and the United States, could be accessed from China or explain the legal basis for such transfers. The DPC found this to be misleading and non-compliant with GDPR transparency obligations.
TikTok’s Response
During the inquiry, TikTok updated its Privacy Policy. This updated policy identified the third countries receiving EEA user data, disclosed that personal data was stored on servers in the U.S. and Singapore, and stated that entities within TikTok’s corporate group—based in Brazil, China, Malaysia, the Philippines, Singapore, and the U.S.—had remote access to that data.
TikTok announced it would appeal the decision, stating that it relies on Standard Contractual Clauses (SCCs) and has implemented measures like independent access monitoring and localized data storage (including new data centers in Europe).
The company also claims that it has never received or complied with a request for user data from Chinese authorities.
What happens next?
The DPC has given TikTok six months to bring its data transfer operations in line with EU law. If the company fails to comply, it could face a suspension of its data transfers to China.
This is not TikTok’s first brush with GDPR regulators. In 2023, the platform was fined €345 million over mishandling children’s data—indicating a growing trend of regulatory scrutiny over its data practices.
Why this matters
This case reinforces the EU’s strict stance on international data transfers and the need for transparency, accountability, and lawful processing—especially when data leaves the EU and enters jurisdictions with different legal frameworks.
For companies operating across borders, GDPR compliance is not optional—especially when it comes to where and how personal data is processed.