Camilla Jessen
The platform plans to appeal, but new investigations are already looming.
TikTok has been hit with a €530 million ($570 million) fine by the European Union over violations of the bloc’s data protection rules.
The Irish Data Protection Commission (DPC), which leads GDPR enforcement for TikTok in the EU, issued the fine after finding that the company unlawfully transferred European users’ data to China, where parent company ByteDance is headquartered.
The DPC said TikTok violated two key provisions of the General Data Protection Regulation (GDPR): Article 46(1), relating to international data transfers, and Article 13(1)(f), concerning transparency obligations.
In total, the regulator issued two administrative fines—€485 million ($522 million) for data transfer violations and €45 million ($48 million) for failing to adequately inform users.
TikTok has rejected the DPC’s findings and announced its intent to appeal the decision in full.
EU Regulator Cites “Inadequate Safeguards”
DPC Deputy Commissioner Graham Doyle emphasized that under GDPR, companies must ensure that any transfer of personal data outside the European Economic Area (EEA) maintains a level of protection “essentially equivalent” to that within the EU.
“TikTok failed to verify, guarantee, or document that the data accessed by employees in China was protected to an EU-equivalent standard,” Doyle said in a statement, as cited by Trend.
He added that this exposed users’ data to potential access by Chinese authorities under national security and anti-terror laws.
TikTok now has six months to either bring its data processing practices into compliance or cease transferring European user data to China entirely.
Additional Violations Under Review
The DPC also accused TikTok of providing inaccurate information about the physical location of user data.
While the company had previously claimed that European user data was not stored in China, it later admitted in April 2025 that some data had, in fact, been located on servers there as recently as February.
TikTok has since said that the data has been deleted. However, the DPC is still evaluating the incident and may announce additional enforcement actions.
“We are consulting with our European counterparts to determine what further regulatory response may be required,” Doyle noted, according to TechRadar.
TikTok Responds
In response, TikTok said the DPC’s ruling focuses on historical practices and does not account for its latest security investments.
The company pointed to its €12 billion data protection program, known as Project Clover, which was launched in 2023 and includes data localization, third-party auditing, and restricted data access for staff.
“This decision fails to adequately consider Project Clover—our industry-leading initiative to safeguard European user data,” said Christine Grahn,
TikTok’s Head of Public Affairs and Regulatory Relations in Europe. “It relates to a limited time period prior to Clover’s implementation and does not reflect our current security posture.”