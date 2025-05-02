TikTok has been fined €530 million for illegally sending Europeans' data to China

TikTok now has six months to bring its data processing into compliance or suspend any transfers to China

TikTok has rejected the EU data regulator's decision and plans to appeal in full

The Irish EU Data Protection Commission (DPC) has fined TikTok a total of €530 million (the equivalent of a bit more than $600 million) for illegally sending Europeans' data to China, where its parent company, ByteDance, is based.

Specifically, TikTok was found in breach of two articles of the EU data protection law, GDPR, for not fulfilling its obligations concerning data transfers to China and transparency. The video streaming app now has six months to bring its data processing into compliance or suspend any transfers to China.

TikTok has firmly rejected the data regulator's decision and plans to appeal in full.

TikTok vs the EU

As the DPC Deputy Commissioner Graham Doyle highlights in an official statement, the GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries. That's something TikTok seems to have failed to do.

"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee, and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," said Doyle.

Specifically, the EU data watchdog found TikTok to have breached two GDPR articles: Article 46(1), which regulates its transfers of EEA User Data to China, and its transparency obligations ruled by Article 13(1)(f). The DPC then issued two administrative fines of €485 million and €45 million, respectively.

Such a failure to fulfill GDPR requirements, Doyle noted, didn't enable the video streaming platform to address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage, and other laws.

The problem for TikTok may not end here, though.

TikTok was also found guilty of giving the DPC erroneous information about where Europeans' data where stored. The company first ensured these were not stored on servers based in China. Yet, this allegation was then contradicted in April 2025 when TikTok admitted to having discovered in February 2025 some limited EEA user data on Chinese servers. The DPC is set to publish a decision on this matter in due course.

Commenting on this point, Doyle said: "Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities."

TikTok said to disagree with the DPC decision and be ready to appeal all charges.

"The decision fails to fully consider Project Clover, our €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere. It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place," said Christine Grahn, TikTok's Head of Public Policy & Government Relations for Europe, in an official statement.

This isn't, however, the first time TikTok has been fined in Europe for breaching data protection law. In 2023, the DPC issued a €345 million fine against TikTok for violating children's privacy.

