TikTok Hit with €530 Million Fine Over Data Transfers to China

Irish Data Protection Commission (DPC) has imposed a landmark €530 million fine on TikTok Technology Limited for illegally transferring European Economic Area (EEA) user data to China and failing to meet transparency obligations under the General Data Protection Regulation (GDPR).

The decision, finalized on May 5, 2025, follows a multi-year inquiry into TikTok’s data governance practices, revealing systemic gaps in its compliance with EU data protection laws.

Regulators found that TikTok inadequately safeguarded EEA user data accessed remotely by employees in China and misled authorities about its data storage practices.

- Advertisement -

The ruling mandates TikTok to rectify its data transfer mechanisms within six months or face suspension of data flows to China, marking a pivotal moment in transcontinental data privacy enforcement.

Legal Basis and GDPR Violations

The DPC’s investigation centered on TikTok’s compliance with Chapter V of the GDPR, which governs international data transfers.

Under Article 46(1), companies must ensure third-country data recipients provide protections “essentially equivalent” to EU standards when no adequacy decision exists.

China lacks such an EU adequacy designation, requiring TikTok to implement supplemental measures like Standard Contractual Clauses (SCCs).

However, the DPC determined TikTok’s safeguards failed to account for Chinese legal frameworks that grant authorities broad access to personal data, including the National Intelligence Law and Counter-Espionage Law.

These laws oblige Chinese entities to disclose data to state agencies for national security purposes, creating an irreconcilable conflict with GDPR’s strict limitations on government access.

Despite identifying these discrepancies in its internal assessments, TikTok did not address how SCCs could neutralize such risks.

The DPC concluded that TikTok’s failure to conduct adequate transfer impact assessments violated Article 46(1), warranting a €485 million fine-the bulk of the total penalty.

Separately, TikTok breached Article 13(1)(f) GDPR by omitting critical details about data transfers in its 2021 privacy policy.

The policy neither named China as a data destination nor disclosed remote access by Chinese personnel to EEA user data stored in Singapore and the U.S.. A revised 2022 policy rectified these omissions, but the infringement persisted for over two years, resulting in an additional €45 million fine.

Discovery and TikTok Misrepresentations

Throughout the inquiry, TikTok repeatedly asserted that EEA user data remained stored exclusively in Singapore and the U.S., with Chinese access limited to “non-EEA” data.

This claim collapsed in April 2025 when TikTok admitted to discovering EEA data on Chinese servers during a February 2025 internal audit-contradicting its prior sworn submissions.

While TikTok reported deleting this data, the DPC emphasized the deception undermined trust and may prompt further sanctions.

The inquiry also scrutinized TikTok’s “Project Clover,” an initiative to localize EEA data in Ireland and Norway.

Although the project introduced encryption and third-party oversight, the DPC deemed these measures insufficient to counterbalance Chinese legal overrides.

Deputy Commissioner Graham Doyle noted TikTok’s reforms “failed to holistically address the structural risks posed by China’s legal framework,” particularly regarding state surveillance mandates.

Broader Implications for Cross-Border Data Transfers

The ruling sets a precedent for EU regulators assessing data flows to jurisdictions with conflicting national security laws.

By explicitly linking China’s legal regime to GDPR non-compliance, the decision complicates data transfers not just for TikTok but all multinationals operating in China.

Companies must now demonstrate how supplementary measures neutralize foreign legislation’s impact-a challenging threshold given China’s rigid statutory obligations.

TikTok has six months to overhaul its data transfer mechanisms or face suspension of Chinese access.

The DPC will collaborate with EU counterparts to monitor compliance, potentially reshaping how tech giants manage global data infrastructure.

For users, the decision reinforces GDPR’s extraterritorial reach, ensuring EEA citizens’ data enjoys uniform protections regardless of processing locations.

As cross-border data flows dominate digital commerce, this case underscores the growing clash between EU privacy norms and third-country surveillance laws.

With similar tensions emerging in U.S.-EU data relations, the TikTok penalty may catalyze stricter enforcement of GDPR’s transfer mechanisms worldwide.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!