TikTok has been hit with a staggering €530 million fine by Ireland’s Data Protection Commission (DPC) after it was found to have illegally transferred European user data to China, breaching the European Union’s strict data protection laws.
The ruling marks one of the largest penalties ever issued under the EU’s General Data Protection Regulation (GDPR), as the DPC concluded that TikTok failed to adequately safeguard the personal information of its users against China’s sweeping surveillance powers. The regulator said TikTok did not perform the necessary risk assessments to account for how Chinese laws could impact user data once it was transferred overseas.
At the heart of the issue is the concern that user data from millions of European TikTok users was accessed by employees in China, where the government can legally compel companies to hand over information. The DPC determined that TikTok’s internal controls between 2020 and 2022 were insufficient to ensure EU-level protections were in place, particularly given China’s national intelligence laws.
TikTok was fined €485 million for the unlawful data transfers and an additional €45 million for a lack of transparency in informing users that their data could be sent to China. The social media giant updated its privacy policy in 2022 to comply with EU standards, but the damage had already been done.
The company has responded defiantly, stating that it “strongly contests” the findings and plans to appeal the decision in full. TikTok’s head of public policy for Europe, Christine Grahn, said the company had already introduced “extensive safeguards” to protect user data and expressed frustration that the same legal mechanisms used by many other global companies were being penalized in their case.
TikTok also pointed to its ongoing Project Clover initiative, which involves building data centers in Ireland and Norway to localize European user data and restrict access from overseas. The company insists that it has never received a request from the Chinese government for European user data and has never provided any.
Despite TikTok’s rebuttal, the DPC’s ruling sends a clear message: companies operating in the EU must not only ensure transparency but also protect data from being funneled into jurisdictions where European protections cannot be guaranteed. The Commission has given TikTok a six-month window to bring all data handling operations into full compliance or risk further sanctions.
This case comes as TikTok continues to face mounting global scrutiny over its ties to parent company ByteDance and the Chinese government. With regulatory pressure building across Europe and the United States, the platform’s future may hinge on its ability to rebuild trust and prove that user privacy comes before political convenience.
