TikTok has been fined €530 million by the Irish DPC for unlawful data transfers to China and lack of transparency.
On 2 May 2025, the Irish Data Protection Commission (DPC), acting as lead supervisory authority under the GDPR, published its final decision in an inquiry into TikTok Technology Limited’s data transfers from the EEA to China. The DPC found TikTok in breach of both international data transfer requirements and transparency obligations under the GDPR. In addition to the fine, TikTok has been given six months to bring its processing activities into compliance or face suspension of its data transfers to China.
TikTok failed to demonstrate that its transfers to China ensured an essentially equivalent level of data protection.
The inquiry evaluated TikTok’s reliance on Standard Contractual Clauses (SCCs) and supplementary measures for legitimising data transfers. The DPC found TikTok in breach of Article 46(1) GDPR, concluding that the company did not sufficiently verify or demonstrate that the personal data of EEA users accessed remotely from China was afforded a level of protection essentially equivalent to that guaranteed within the EU.
TikTok’s own submissions acknowledged that Chinese laws—such as the Anti-Terrorism Law, Counter-Espionage Law, Cybersecurity Law and National Intelligence Law—materially diverged from EU standards. Nevertheless, TikTok proceeded with the transfers without implementing adequate safeguards. The DPC found that this failure impaired TikTok’s ability to appropriately assess risks and apply suitable protections.
TikTok did not provide EEA users with clear and sufficient information about data transfers to third countries.
The DPC also found that TikTok’s October 2021 EEA Privacy Policy did not meet the transparency requirements of Article 13(1)(f) GDPR. The policy failed to identify the specific third countries to which personal data was transferred, including China, and did not disclose the nature of the processing—namely, remote access to personal data stored in the United States and Singapore by staff located in China.
Although TikTok later updated its policy in December 2022 to address these issues, the DPC determined that the transparency infringement had occurred between 29 July 2020 and 1 December 2022. The fine of €530 million includes €45 million for the transparency breach and €485 million for the unlawful transfers.
TikTok disclosed that it had provided inaccurate information during the inquiry regarding data storage in China.
In a further development, TikTok informed the DPC in April 2025 that, contrary to earlier representations, a limited volume of EEA user data had been stored on servers in China. The company reported that the data was deleted, but the DPC is now considering whether further regulatory action is warranted.
TikTok has announced its intention to appeal.
In a recent statement, TikTok disagreed with the DPC’s findings, claiming that the decision focuses on historic practices that predate the 2023 rollout of Project Clover—its €12 billion data security initiative. According to TikTok, the DPC failed to give adequate weight to the extensive safeguards now in place.
TikTok defends its data security measures by highlighting Project Clover, an industry-leading framework featuring independent oversight by NCC Group, European data localisation, and advanced privacy technologies. The company emphasizes that European user data is stored by default in a European data enclave, remote access is tightly controlled and monitored, restricted data is inaccessible to employees in China, and independent cybersecurity experts have validated these safeguards.
This case underscores the continued regulatory focus on international data transfers and meaningful transparency under the GDPR
The DPC’s decision reinforces the importance of aligning data transfer mechanisms with EU legal standards, especially when transferring personal data to jurisdictions lacking an adequacy decision. It highlights the increasing expectations placed on organisations to conduct comprehensive legal and technical assessments and to provide clear, accurate information to data subjects.
