Home Blog TikTok GDPR Fine: Data Transfer Penalty of €530M

GDPR

TikTok GDPR Fine: Data Transfer Penalty of €530M

Posted by Kevin Yun|May 2, 2025

Introduction

The Irish Data Protection Commission (DPC) has slapped TikTok with a massive €530 million fine for illegally transferring European users’ personal data to China and failing to be transparent about these transfers. These administrative fines, announced in May 2025, represent one of the largest penalties ever imposed under the General Data Protection Regulation (GDPR) and signal growing regulatory scrutiny of data flows between Europe and China.

The fine against TikTok Technology Limited breaks down into €485 million for violations related to unlawful data transfers to China and €45 million for inadequate transparency. These amounts were set out as administrative fines in the DPC's final decision. Beyond the financial penalty, the Irish regulator has ordered TikTok to bring its processing operations into compliance within six months or face suspension of all data transfers to China.

This case highlights the increasing tensions between global tech platforms and European data protection laws, particularly when it comes to data transfers to countries with surveillance regimes that conflict with EU privacy standards.

Background of the TikTok investigation

The Irish DPC launched its investigation into TikTok’s data practices to examine whether the company’s transfers of European Economic Area (EEA) users’ personal data to China were lawful under GDPR. The inquiry examined the lawfulness of TikTok's data transfers and compliance with GDPR requirements, including whether TikTok, as data controllers, fulfilled their obligations to inform data subjects about data transfers to third countries and ensure transparency regarding the transfer process and the countries involved. The investigation also scrutinized whether TikTok was providing adequate information to users about these transfers.

The case centered on TikTok’s practice of allowing staff based in China to remotely access European user data stored on servers in Singapore and the United States. This investigation was particularly significant because it marked the first time a European regulator has taken a formal stance on data transfers to China under GDPR.

The DPC, which serves as TikTok’s lead supervisory authority in Europe due to the company’s EU headquarters being located in Ireland, submitted its draft decision through the GDPR cooperation mechanism in February 2025. Notably, no objections were raised by other European data protection authorities, indicating unanimous support for the Irish regulator’s findings.

Key findings from the Irish DPC

The DPC’s investigation concluded with two main findings against TikTok:

  1. Data transfer violations: The DPC found that the controller's transfers of personal data of users in the EEA to China infringed Article 46(1) of GDPR because TikTok failed to verify and demonstrate that the data was afforded a level of protection equivalent to that guaranteed within the EU, leading to the imposition of fines.

  2. Transparency failures: TikTok breached Article 13(1)(f) of GDPR by not adequately informing data subjects about the nature and destination of transfers of their data to China in its privacy policy between July 2020 and December 2022, and failed to provide data subjects with sufficient information regarding these international data transfers.

GDPR requires data controllers to provide data subjects with clear information about transfers of personal data to third countries, including the nature, scope, and destinations of such transfers. Article 13(1)(f) specifically requires data controllers to provide clear information to data subjects regarding transfers of personal data to third countries.

The decision was made by the Commissioners for Data Protection, Dr. Des Hogan and Mr. Dale Sunderland, following a thorough investigation into TikTok’s data handling practices.

DPC Deputy Commissioner Graham Doyle emphasized that “TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

Data transfer violations explained

The core of TikTok’s violation related to its inability to properly assess and mitigate the risks associated with TikTok's transfers of EEA personal data and user data to China, a third country. The DPC's assessment focused on whether the protection provided to EEA users transferred to the People's Republic of China was essentially equivalent to EU standards, as required by the GDPR. Under GDPR’s Chapter V provisions, and specifically Article 46(1), companies transferring personal data outside the EEA must verify, guarantee, and demonstrate that the supplementary measures and Standard Contractual Clauses (SCCs) are effective in ensuring that personal data is protected equivalently to EU standards. The GDPR requires that personal data transferred outside the EEA must continue to be afforded a high level of protection, which can only occur if specific conditions are met, such as the existence of an Adequacy Decision or the use of effective Standard Contractual Clauses.

Since China does not have an adequacy decision from the European Commission (unlike countries such as Canada, Japan, or the UK), TikTok was required to implement additional safeguards, typically through Standard Contractual Clauses (SCCs), to protect EEA personal data and user data to China.

However, the DPC found that TikTok failed to properly assess whether these safeguards were effective in the context of the laws identified in China, including Chinese anti-terrorism and counter-espionage laws, the Cybersecurity Law, and the National Intelligence Law. These laws are materially diverging from EU standards and form part of the broader legal framework, including espionage and other laws, that impact international data transfers. The DPC highlighted that TikTok did not adequately assess the level of protection provided by Chinese law, which includes laws that could allow access to personal data by Chinese authorities, such as the Anti-Terrorism Law and the National Intelligence Law.

The regulator determined that TikTok did not adequately address the potential access that the Chinese government and authorities in the People's Republic of China might have to EEA users transferred data under these materially diverging laws. By failing to conduct a proper assessment and to verify, guarantee, and demonstrate the effectiveness of supplementary measures and SCCs, TikTok couldn’t implement appropriate safeguards to protect the data during TikTok's transfers of user data to China.

Transparency breaches detailed

The second major violation concerned TikTok’s failure to properly inform users about data transfers to China. Article 13(1)(f) of GDPR requires companies to tell users when their personal data is being transferred to third countries.

The DPC found that TikTok’s October 2021 EEA Privacy Policy was inadequate in two key respects: it failed to name the third countries, including China, to which personal data was transferred, and did not explain the nature of the processing operations involved in the transfer. These two key respects—specifically, not identifying the third countries and not clarifying the processing operations—were critical deficiencies in transparency under GDPR.

TikTok subsequently updated its privacy policy in December 2022 to identify the third countries to which EEA user data was transferred and to inform users that personal data was stored on servers in the United States and Singapore, with remote access by entities in several countries including China. The DPC assessed TikTok's December 2022 EEA Privacy Policy as compliant with the requirements of Article 13(1)(f) GDPR.

The DPC determined that this updated policy resolved the transparency issues, which is why the violation period was limited to July 2020 through December 2022.

TikTok's response to the fine

Whilst TikTok maintains that it has never received a request for European user data from the Chinese authorities, TikTok has strongly contested the DPC’s findings and announced plans to appeal the decision in full. The company expressed disappointment at being “singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe.”

Christine Grahn, TikTok’s head of public policy and government relations for Europe, emphasized that the company “has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

TikTok also warned that the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale” and “delivers a blow to the European Union’s competitiveness.”

The company’s response highlights the tension between global tech operations and regional data protection laws, particularly when it comes to cross-border data flows.

Project Clover and TikTok's compliance efforts

TikTok pointed to its €12 billion investment in "Project Clover" as evidence of its commitment to European data protection. This initiative involves building multiple data centers within Europe to store European user data locally, rather than on servers in Singapore or the United States.

The first of these European data centers opened in Ireland, with additional facilities planned in Norway and other EU locations. TikTok has presented Project Clover as a comprehensive solution to concerns about data transfers to China, as it would theoretically eliminate the need for such transfers.

However, the Irish DPC determined that these efforts, while positive, were insufficient to address the violations identified in its investigation. The regulator noted that despite Project Clover's implementation, TikTok still needed to bring its data transfer operations into full compliance with GDPR requirements.

This suggests that even localized data storage may not fully resolve concerns if there remains any possibility of remote access from countries with surveillance laws incompatible with EU privacy standards.

Misleading information provided during investigation

In a troubling development, the DPC revealed that TikTok had provided incorrect information—specifically, erroneous information—during the investigation. Throughout the inquiry, TikTok had consistently stated that it did not store EEA user data on servers in China.

However, in April 2025, TikTok informed the DPC that it had discovered in February 2025 that “limited EEA User Data” had actually been stored on servers in China, contrary to the company’s previous statements. This discovery meant TikTok had provided inaccurate information to investigators.

While TikTok informed the regulator that this data has since been deleted from Chinese servers, Deputy Commissioner Doyle stated that the DPC is “taking these recent developments regarding the storage of EEA User Data on servers in China very seriously” and is “considering what further regulatory action may be warranted.”

This discrepancy raises additional questions about TikTok’s data management practices and could potentially lead to further enforcement actions beyond the current fine.

To understand the significance of this case, it’s important to grasp how GDPR regulates international data transfers. GDPR’s Chapter V outlines strict requirements for sending personal data outside the European Economic Area, which are examined in depth in our cross-border data transfer GDPR guide.

The primary mechanism for lawful transfers is an “adequacy decision” from the European Commission, which certifies that a particular country ensures an adequate level of data protection. You can learn more about how the Commission evaluates countries in our overview of EU adequacy decisions and data protection standards. Currently, adequacy decisions exist for:

Countries with adequacy decisions Year granted
Andorra 2010
Argentina 2003
Canada (commercial organizations) 2001
Faroe Islands 2010
Guernsey 2003
Israel 2011
Isle of Man 2004
Japan 2019
Jersey 2008
New Zealand 2012
Republic of Korea 2021
Switzerland 2000
United Kingdom 2021
United States 2023
Uruguay 2012

For countries without adequacy decisions, like China, companies must implement additional safeguards through mechanisms such as Standard Contractual Clauses (SCCs). However, following the landmark Schrems II decision by the European Court of Justice in 2020, companies cannot rely solely on SCCs if the receiving country’s surveillance laws undermine the protection they provide.

Instead, companies must assess the legal framework of the destination country and implement supplementary measures to ensure GDPR-level protection. If this isn’t possible, the data transfer should not occur.

Chinese surveillance laws and EU data protection

The TikTok case highlights the fundamental conflict between Chinese national security laws and EU data protection principles. Several Chinese laws grant authorities broad powers to access data held by companies:

  • Anti-Terrorism Law: Requires companies to provide technical support and assistance to authorities in terrorism prevention and investigation activities

  • Counter-Espionage Law: Mandates that organizations and individuals support and assist counter-espionage work

  • Cybersecurity Law: Gives authorities broad powers to conduct security inspections of network operators

  • National Intelligence Law: Obligates organizations and citizens to support, assist, and cooperate with intelligence work

Given these laws, organizations must proactively address potential access to personal data by Chinese authorities, verifying and demonstrating that data is protected from unauthorized access as required under GDPR. These laws create a legal environment where Chinese authorities can potentially access personal data with limited independent oversight or judicial review. This stands in stark contrast to GDPR’s principles of purpose limitation, data minimization, and protection against unauthorized access.

TikTok’s own assessment acknowledged these divergences from EU standards, which proved critical in the DPC’s finding that the company failed to ensure essentially equivalent protection for transferred data.

Implications for other companies transferring data to China

The TikTok decision sets a precedent that could have far-reaching consequences for any organization transferring personal data from Europe to China. It signals that European regulators are taking a stricter approach to assessing the adequacy of protection for such transfers.

Companies operating across Europe and China will need to conduct structured Data Transfer Impact Assessments (DTIAs) for international data transfers and will need to:

  1. Conduct thorough transfer impact assessments focused specifically on Chinese surveillance laws

  2. Implement robust supplementary measures beyond standard contractual clauses

  3. Consider data localization strategies to minimize transfers to China

  4. Be fully transparent with users about any data flows to China

This ruling may accelerate the trend toward data localization, with more companies following TikTok's lead in establishing European data centers to avoid cross-border transfers entirely or to comply with Brazil's LGPD cross-border data transfer regime. However, even with data stored in Europe, companies will need to carefully control remote access from countries like China.

The decision also highlights the growing geopolitical tensions in digital trade, as different regions establish incompatible regulatory regimes for data governance. This fragmentation creates significant compliance challenges for global companies.

The €530 million fine in context

The €530 million penalty imposed on TikTok ranks as the third-largest fine ever issued under GDPR. Only Luxembourg's €746 million fine against Amazon in 2021 and Ireland's €1.2 billion fine against Meta in 2023 exceed it, as discussed in our overview of the biggest GDPR fines of 2025.

This substantial financial penalty reflects the seriousness with which European regulators view data transfer violations, particularly when they involve countries with extensive surveillance powers. The breakdown of the fine - €485 million for transfer violations and €45 million for transparency failures - indicates that regulators consider the data transfer issues significantly more serious.

The size of the fine also demonstrates the DPC's willingness to impose substantial penalties against major tech platforms. The Irish regulator has faced criticism in the past for moving slowly on complaints against tech giants, but this decision, along with recent actions against Meta, signals a more assertive approach consistent with broader GDPR fines and enforcement patterns in 2025.

What happens next for TikTok

TikTok faces several critical decision points following this ruling:

  1. Appeal process: The company has announced its intention to appeal the decision in full. This legal challenge could take years to resolve through the Irish courts and potentially the European Court of Justice.

  2. Six-month compliance deadline: Regardless of the appeal, TikTok has been given a reasonable period of six months—the period allowed—to bring its data processing operations into compliance with GDPR’s Chapter V requirements. The DPC's decision included an order that, if TikTok does not comply within this period allowed, it must suspend data transfers to China.

  3. Potential further investigations: The DPC indicated it is considering additional regulatory action regarding TikTok’s incorrect statements about storing European user data in China. This could lead to further penalties.

  4. Accelerating Project Clover: TikTok will likely fast-track its European data localization efforts to minimize the need for any data transfers to China.

The case may also inspire similar investigations by other data protection authorities across Europe, potentially leading to a coordinated approach to Chinese data transfers more broadly.

The TikTok case demonstrates the complexity of GDPR compliance, particularly regarding international data transfers. Organizations handling personal data can benefit significantly from specialized GDPR compliance tools and software platforms to navigate these challenges.

Compliance platforms like ComplyDog GDPR compliance software offer comprehensive solutions that help companies:

  1. Map data flows: Identify and document all cross-border transfers of personal data, ensuring no transfers slip through unnoticed.

  2. Conduct transfer impact assessments: Systematically evaluate the legal frameworks of destination countries and assess whether appropriate safeguards are in place.

  3. Implement appropriate safeguards: Deploy and manage standard contractual clauses and supplementary measures for different types of transfers.

  4. Maintain transparent documentation: Generate and update privacy notices that clearly communicate to users where their data is being transferred, aligning with the seven core principles at the heart of GDPR compliance.

  5. Monitor regulatory changes: Stay updated on evolving requirements and new adequacy decisions that may affect compliance obligations.

  6. Demonstrate accountability: Maintain detailed records of all compliance activities to satisfy regulatory inquiries, ideally surfaced through a centralized GDPR compliance monitoring dashboard.

With GDPR fines reaching hundreds of millions of euros, investing in proper compliance tools is not just a regulatory necessity but a sound business decision that should be factored into a realistic GDPR compliance cost and budgeting plan. The TikTok case shows that regulators are particularly focused on international data transfers and transparency requirements - precisely the areas where compliance software provides the most significant value.

By implementing a systematic approach to data protection compliance, companies can avoid costly penalties while building trust with their users, especially if they follow a structured GDPR compliance implementation roadmap. As global data protection regulations continue to evolve, having adaptable compliance systems becomes increasingly crucial for businesses of all sizes.