TikTok hit with €530m fine by EU for unlawful data transfers to China
TikTok has received a €530 million (£451.9 million) fine from Ireland’s data protection authority for violating EU data privacy laws, marking a major intensification in European examination of international tech companies and their global data transfer methods.
The decision, delivered by Ireland’s Data Protection Commission (DPC), ranks as the third-largest fine ever issued under the EU’s General Data Protection Regulation (GDPR). It represents the first instance where an EU regulatory body has pursued direct enforcement against a corporation related to data transfers specifically to China.
Central to the case is the DPC’s conclusion that TikTok did not sufficiently evaluate the risks posed by Chinese legislation that could permit state access to personal information stored overseas, particularly data from EU users. The regulator determined that TikTok failed to offer any substantial assurances that user data accessed or transferred from China would be sufficiently protected in accordance with European privacy norms.
Owned by Beijing’s ByteDance, TikTok had previously claimed that it did not house European user data in China. However, in early 2024, it acknowledged that “limited” EU user data had been discovered on servers situated in China. The DPC’s report indicated that while the company has since removed that data, it did not act promptly, which led to the fine.
In addition to the primary fine, TikTok was levied a supplemental €45 million penalty for its lack of transparency concerning its privacy policies from 2020 to 2022. During that time, the platform failed to inform users clearly that their data could be accessed from China — a significant omission under GDPR’s transparency mandates.
TikTok has communicated its intention to challenge the ruling. Christine Grahn, TikTok’s Head of Public Policy and Government Relations for Europe, stated in a written response: “In addition to the DPC’s apparent disregard for the extensive safeguards already in place by TikTok, we are disheartened to have been pointed out despite following the same legal framework as thousands of other companies operating in Europe.”
To tackle regulatory apprehensions, TikTok has updated its privacy policies and launched Project Clover — a €12 billion effort aimed at establishing local data centers throughout Europe, including locations in Dublin and Norway. The initiative is designed to diminish dependence on international data transfers and enhance confidence among European users. However, regulators have expressed that these pledges have come too late to alleviate the earlier violations.
TikTok’s regulatory difficulties in the EU go beyond GDPR. The company is currently being evaluated under the EU’s stricter Digital Services Act (DSA), which took effect in 2023. The DSA seeks to hold major online platforms more accountable for their user data management, content moderation, and minor protection. TikTok has already encountered previous fines, including a €345 million penalty in 2023 for mishandling children’s data.
This recent ruling raises larger concerns about the future of cross-border data transfers and the obstacles tech companies face in dealing with differing legal frameworks. It also highlights the EU’s readiness to confront global tech giants regarding their data governance practices, particularly amid rising geopolitical anxieties surrounding China’s cybersecurity and surveillance regulations.
Beyond Europe, TikTok continues to experience difficulties in the United States due to similar national security worries. The Trump administration initially aimed to ban the app completely over concerns that American user data could be accessed by the Chinese government. Following various court disputes and shifting political dynamics, a new agreement appeared to be emerging in 2023 between ByteDance and US partners, potentially permitting TikTok to maintain its operations in the US under more stringent conditions.
However, that tenuous accord faced risk when former President Donald Trump issued an executive order implementing new tariffs on Chinese technology and setting a 75-day deadline for TikTok to resolve ownership and data transfer disputes. The situation illustrates the growing worldwide consensus on the necessity to address data sovereignty violations by tech firms with a global presence.
For additional information regarding the Irish Data Protection Commission’s ruling, the complete decision can be accessed [here](https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following). This news also resonates with increasing measures from European data regulators, such as the €1.2 billion fine imposed on Meta earlier in 2023 for similar data transfer infractions.
As GDPR enforcement increases and geopolitical strains continue, the future of global data governance may be significantly influenced by these pivotal confrontations — and by how companies like TikTok choose to respond.
