EU regulator hits TikTok with €530M fine over data transfers to China

The Irish Data Protection Commission (DPC) wants TikTok to pay a €530 million (£452 million) fine for violating the European Union’s data protection laws. The DPC, which oversees TikTok across the European Economic Area (EEA), says the video-sharing app failed to guarantee that the personal data of European users transferred to China would be protected from potential access by Chinese authorities.

“TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counterespionage, and other laws,” the DPC said in its ruling. “It failed to verify, guarantee, and demonstrate that European user data sent to China was protected.”

Under China’s 2017 National Intelligence Law, companies are legally obligated to support and cooperate with national intelligence work, a fact cited frequently by critics who question whether Chinese firms can resist government pressure.

In response, TikTok maintains it has never received a request for European user data from Chinese authorities nor shared such data with them.

Additional charges

In its report, the DPC further revealed that TikTok staff in China had remotely accessed some European user data, a move seen as inconsistent with the EU’s stringent privacy standards under the General Data Protection Regulation (GDPR).

The ruling also condemned TikTok for submitting “erroneous information” during the investigation. Initially, the company claimed that no EEA user data was stored in China, but later admitted to “limited” storage there. The DPC said this inaccurate information was taken “very seriously” and that further enforcement actions are being considered.

TikTok has six months to bring its data practices into compliance or face a suspension of data transfers to China.

TikTok to appeal

TikTok has announced its intention to appeal against the DPC's ruling. The company highlighted the safeguards it has implemented under its "Project Clover" data security scheme, which was unveiled in March 2023. However, the DPC investigation focused on the period between September 2021 and May 2023, predating the full implementation of these measures.

TikTok’s Chinese ownership continues to be a privacy and national security concerns in both Europe and the United States, where the app still faces threats of a ban.

The DPC’s decision is part of a broader EU push to enforce GDPR rules on global tech platforms. It follows earlier multimillion-euro fines against companies like Meta and Amazon for similar failures to adequately safeguard user data across borders.