TikTok has been fined €530 million by Ireland’s Data Protection Commission (DPC) after an inquiry found it unlawfully transferred European Economic Area (EEA) user data to China.
In a statement issued today, the DPC said TikTok infringed the General Data Protection Regulation (GDPR) by failing to verify, guarantee, and demonstrate that personal data of EEA users remotely accessed by staff in China was afforded a level of protection “essentially equivalent” to that within the EU.
“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries,” DPC Deputy Commissioner Graham Doyle said.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
TikTok had previously informed the DPC during its inquiry that it did not store EEA user data on servers in China. However, in April 2025, TikTok admitted discovering an issue in February where limited EEA user data had indeed been stored on servers in China, contrary to its earlier claims.
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously,” Doyle said.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
The €530 million fine includes a penalty of €485 million for unlawful data transfers and €45 million for TikTok’s transparency failings under the GDPR.
The DPC also ordered TikTok to bring its data processing into compliance within six months, warning that it will suspend TikTok’s data transfers to China if the company fails to meet this deadline.
During the inquiry, TikTok updated its privacy policies to address earlier transparency issues. The company’s December 2022 policy explicitly identified third countries, including China, to which EEA user data was transferred and detailed the remote access of data by staff located in several countries, including China.
The GDPR mandates stringent conditions for transferring personal data outside the EU, ensuring protection levels remain consistent with EU standards. Transfers without an EU “Adequacy Decision” must comply with specific safeguards, such as Standard Contractual Clauses, which the DPC found TikTok failed to properly implement.
The DPC said the full decision and further related details would be published shortly.
TikTok has been contacted for comment.