TikTok faces a €530 million ($600 million) penalty after Irish regulators ruled the platform unlawfully sent European user data to China. The Irish Data Protection Commission (DPC), which oversees European Union (EU) privacy enforcement due to TikTok’s headquarters in Ireland, said the Chinese-owned app breached the EU’s General Data Protection Regulation (GDPR) by failing to ensure data protections under Chinese surveillance law.
The DPC found that between 2020 and 2022, TikTok transferred personal data of EU users to China without proper safeguards and failed to disclose to users that Chinese staff could access that data. Deputy Commissioner Graham Doyle said TikTok “failed to verify, guarantee and demonstrate” adequate data protection levels for European users.
Of the total fine, €485 million addressed the illegal data transfers, while €45 million covered a lack of transparency in TikTok’s privacy policy. The ruling is the EU’s third-largest GDPR fine. TikTok has six months to comply or cease all transfers to China.
The investigation also revealed that TikTok admitted in April to discovering “limited EEA User Data” had been stored in China, contradicting years of denial. TikTok said it deleted the data but regulators are still considering further action.
TikTok strongly contests the ruling. Christine Grahn, TikTok’s head of public policy for Europe, said the decision “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe.” She added, “We are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies.”