Ireland’s Data Protection Commission (DPC) has imposed a substantial €530 million fine on TikTok for serious breaches of European Union data protection laws.

The penalty, announced on May 2 following a lengthy investigation that began in 2021, addresses the platform’s failure to safeguard European users’ personal information when transferring data to China.

The Irish regulator’s investigation uncovered two significant breaches of the General Data Protection Regulation (GDPR). First, TikTok violated Article 46(1) by failing to verify that European users’ data accessed remotely by China-based staff would receive protection equivalent to EU standards. For this infringement, the company faces a €485 million fine.

Second, TikTok breached transparency requirements under Article 13(1)(f) between July 2020 and December 2022 by not properly informing users that their data could be accessed in China, resulting in an additional €45 million penalty.

“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” stated DPC Deputy Commissioner Graham Doyle.

The investigation revealed TikTok had not adequately assessed how Chinese legislation, including anti-terrorism, counter-espionage, and cybersecurity laws, could potentially enable government access to European users’ data. These laws “materially diverge from EU standards,” according to the DPC’s findings.

False Information and Hidden Storage Practices

In a significant development that compounds the company’s regulatory troubles, TikTok admitted in April 2025 that it had provided incorrect information to investigators.

Throughout the inquiry, TikTok maintained it did not store European Economic Area (EEA) user data on servers in China. However, the company later disclosed that in February 2025 it discovered “limited EEA User Data had in fact been stored on servers in China,” contrary to its previous statements.

This revelation prompted additional scrutiny, with Deputy Commissioner Doyle noting: “The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted.”

Six-Month Compliance Deadline and Potential Suspension

Beyond the financial penalty, the Irish regulator has ordered TikTok to bring its data processing practices into compliance with GDPR requirements within six months. If the company fails to address these issues, the DPC will enforce a suspension of all data transfers to China – a measure that could significantly impact TikTok’s operations.

The ruling acknowledges TikTok’s ongoing “Project Clover” initiative, launched in March 2023 to enhance data security for European users. However, the DPC determined these measures remain insufficient to fully address the compliance concerns.

TikTok Contests Findings and Plans Appeal

TikTok has strongly contested the DPC’s findings and announced plans to appeal the decision. The company argues it has followed the EU’s own legal framework by using standard contractual clauses to permit controlled remote access to data.

“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” TikTok said in a statement. The company also emphasised that it has never received requests for European user data from Chinese authorities and has never provided such data to them.

Global Scrutiny Intensifies

This represents the second major penalty imposed on TikTok by the DPC, following a €345 million fine in 2023 regarding the processing of children’s personal data.

The ruling adds to mounting pressure on the platform, which faces ongoing scrutiny in the United States where lawmakers have raised similar concerns about potential Chinese government access to user information.

The decision establishes a significant precedent for how multinational tech companies must handle cross-border data transfers, particularly when operating between jurisdictions with fundamentally different approaches to privacy and government surveillance.

For TikTok’s 175 million European users, the decision offers reassurance that EU regulators are actively enforcing protections, even as questions remain about the platform’s future compliance and data security practices.

News Source: https://www.cnbc.com/2025/05/02/ireland-fines-tiktok-530-million-for-sending-eu-user-data-to-china.html