TikTok fined €530 million by EU over data transfers to China

TikTok has been hit with a €530 million ($600 million) fine by the European Union over violations related to the handling and transfer of personal user data from Europe to China, marking one of the largest penalties ever imposed under the bloc’s data protection rules. The decision, announced Friday by Ireland’s Data Protection Commission (DPC), follows a multi-year investigation into TikTok’s data processing practices and its compliance with EU privacy laws.

The Irish regulator, acting as the lead EU watchdog for TikTok due to the company’s European headquarters in Dublin, found that the platform failed to sufficiently safeguard the personal data of its European users from potential access by Chinese authorities. In its ruling, the DPC stated that TikTok did not adequately demonstrate that personal data accessed remotely by staff in China received the level of protection required under the EU’s General Data Protection Regulation (GDPR).

Specifically, the DPC determined that TikTok did not address the risk of access by Chinese government agencies under China’s counter-espionage and other national laws, which materially diverge from EU data protection standards. Although TikTok had repeatedly maintained that it did not store EU user data on servers in China, the company disclosed in February that a limited amount of data had, in fact, been stored there before being deleted—a revelation the DPC said it was taking “very seriously.”

The regulator has given TikTok six months to bring its data processing practices into compliance with EU law or suspend data transfers to China altogether. In response, TikTok has announced plans to appeal the decision, asserting that it has never received a request for EU user data from Chinese authorities and has never provided such data. The company emphasized that it has implemented significant security measures since 2023, including independent monitoring of remote data access and the storage of user data in data centers located in Europe and the United States.

TikTok also contends that it uses EU-approved standard contractual clauses to manage international data transfers, and it described the ruling as a move that could set a dangerous precedent for globally operating firms. The platform has more than 175 million users across Europe and has grown rapidly, especially among teenagers.

This is the second major fine TikTok has received from the Irish watchdog. In 2023, the platform was fined €345 million for mishandling children’s personal data. The DPC, empowered to enforce GDPR since 2018, has previously levied substantial penalties against other tech giants, including Meta, LinkedIn, and Microsoft.

Friday’s decision comes as TikTok continues to face mounting scrutiny and regulatory pressure worldwide. Several countries, including France (in the territory of New Caledonia), Pakistan, and Nepal, have imposed temporary bans on the app over security concerns. In the United States, the company’s Chinese ownership has led to sustained political pressure. A law passed by Congress in 2024 requires TikTok’s parent company, ByteDance, to divest its U.S. operations or face a nationwide ban. The current deadline for the sale, which has been extended twice by President Donald Trump, is set to expire on June 19.

Meanwhile, China’s Foreign Ministry has denied any wrongdoing, stating on Saturday that the country "has never and will never require enterprises or individuals to collect or store data by illegal means." The ministry also called on the EU and Ireland to ensure a business environment that is “fair, just, and non-discriminatory” for all companies.