In a milestone ruling emphasizing the European Union’s dedication to data privacy, TikTok has been fined €530 million ($600 million) for breaching the General Data Protection Regulation (GDPR) by illegally shipping European user information to China. The fine, imposed by Ireland’s Data Protection Commission (DPC), represents one of the biggest enforcement actions taken against a technology firm under the GDPR regime.
The Investigation and Findings
The DPC’s four-year probe concluded that TikTok did not adequately protect the personal data of European users, opening the door to staff in China without ensuring protections as required by EU standards. The watchdog accused TikTok of not being transparent regarding foreign data transfers and not maintaining adequate security measures. Significantly, TikTok originally denied data storage within China but later confessed in February 2025 that some data had actually been stored on Chinese servers, contrary to earlier assertions to the DPC. Deputy Commissioner Graham Doyle stressed TikTok failed to appropriately evaluate the risks of access to data under the laws of China, which differ from the protections of the EU. The regulator highlighted concerns of Chinese government access to user data and pointed out that TikTok had provided false information during the investigation.
TikTok’s Response and Project Clover
TikTok, which is controlled by Chinese tech firm ByteDance, has said it plans to appeal the ruling. TikTok says the problems cited by the DPC are before the company began its current “Project Clover,” a €12 billion effort to tighten data security through the construction of three data centers in Europe. TikTok asserts that it has never transferred European user data to Chinese authorities and employed regular legal processes for the transfer of data.
In spite of these claims, the DPC has directed TikTok to implement GDPR requirements within six months or risk suspension of data transfers to China. The regulator is also contemplating additional regulatory action subject to peer regulator consultations.
Broader Implications and Previous Fines
This isn’t the first time TikTok has been criticized for data privacy. In 2023, the DPC penalized the firm €345 million for offenses relating to children’s data, such as making accounts public by default and not issuing clear information to kid users.
The current fine underscores the EU’s increasing vigilance over data protection practices, particularly concerning data transfers to countries with differing legal standards. It also highlights the challenges multinational tech companies face in navigating complex regulatory environments.
Global Context and Future Outlook
The TikTok case is a manifestation of deeper global tensions between data privacy and national security. In the United States, politicians have expressed concern over TikTok’s data practices, and this has resulted in continued legislative pressure on the firm to sell its American business.
With regulatory scrutiny increasing, cross-border technology companies must prioritize transparency and compliance with local data protection laws. The outcome of TikTok’s appeal and its attempts to get in line with EU regulations will be followed closely by industry participants and regulators globally.
