TikTok has been fined 530 million euros ($601.3 million) by Ireland’s Data Protection Commission (DPC) for violating the European Union’s General Data Protection Regulation (GDPR) by transferring user data to China without ensuring adequate protection. The DPC, which acts as the primary privacy regulator for TikTok within the EU, found that TikTok had failed to guarantee that data accessed by its staff in China met the level of protection required under EU law.
The regulator stated that TikTok did not properly assess the potential risks posed by Chinese laws, including those related to counter-espionage and anti-terrorism, which may allow authorities to access personal data. These laws materially diverge from EU privacy standards. The DPC emphasized that TikTok’s failure to perform essential assessments meant that the company did not adequately address the risk of access to European user data by Chinese authorities.
In addition, the DPC discovered TikTok had provided inaccurate information during the investigation, initially claiming that European user data was not stored on Chinese servers. However, the company later admitted that in February, it identified a situation where limited European user data had indeed been stored in China, contrary to previous statements. The DPC has warned that if TikTok does not bring its data processing practices into compliance within six months, it may suspend the platform’s data transfers to China.
TikTok announced it will appeal the decision, arguing that the ruling overlooks the company’s more recent efforts to protect European user data, including Project Clover—a €12 billion initiative implemented in 2023 aimed at strengthening data security infrastructure in Europe. Christine Grahn, head of public policy and government relations for TikTok Europe, criticized the decision as being based on outdated practices and not representative of current safeguards.
Despite assurances from TikTok that it has never received or responded to data requests from the Chinese government, regulators across the West remain skeptical. The platform previously disclosed that staff in countries such as China, Brazil, Canada, and Israel may access user data to ensure consistent service quality. However, concerns persist due to Chinese laws that obligate companies to share data with the government upon request for broadly defined intelligence work.
TikTok’s data practices remain under intense scrutiny, and the outcome of its appeal could set a precedent for how international tech companies handle user data within the EU.
READ MORE: