TikTok Hit With Massive Fine Over EU User Data Transfers

TikTok is in hot water again! Ireland's Data Protection Commission (DPC) just slapped the popular video-sharing app with a €530 million ($601 million) fine. Why? Because they were caught transferring European users' data over to China, violating data protection regulations.

The DPC didn't mince words. "TikTok broke the GDPR rules when it came to sending data from European Economic Area (EEA) users to China and wasn't transparent enough about it," they said in a statement. Besides the massive fine, TikTok has six months to clean up its act and comply with data protection laws.

And get this: the order also demands that TikTok *stop* sending data to China within that same six-month window.

This all stems from an investigation that kicked off back in September 2021. The DPC wanted to know if TikTok was following the rules when it came to sending personal data to China and if they were meeting the strict requirements for data transfers to countries outside the EEA. That investigation has now concluded.

According to DPC Deputy Commissioner Graham Doyle, TikTok failed to ensure that European users' data received the same level of privacy protection in China as it does within the EU. This goes against Article 46(1) of the General Data Protection Regulation (GDPR).

Doyle also pointed out that TikTok didn't address concerns about potential access to user data by Chinese authorities under the country's anti-terrorism and counter-espionage laws, which are quite different from EU standards.

To make matters worse, the DPC says TikTok provided incorrect information during the investigation. Initially, TikTok claimed they *didn't* store EEA users' data on Chinese servers. But then, just last month, they admitted to the DPC that they'd found an issue in their systems back in February 2025 (yes, 2025!), which resulted in some EEA data being stored in China after all.

"TikTok says that data has now been deleted. We're now deciding if further action is needed, in consultation with our fellow EU Data Protection Authorities," Doyle stated.

TikTok, however, isn't taking this lying down. Christine Grahn, TikTok's head of public policy and government relations for Europe, argues that the DPC's decision doesn't consider Project Clover, their data security initiative for protecting European user data. She also claims the ruling doesn't reflect the safeguards they currently have in place.

"The DPC itself acknowledged in its report that TikTok has consistently stated it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them," Grahn said.

This isn't the first time TikTok has faced the DPC's wrath. Back in September 2023, they were hit with a €345 million fine for violating GDPR laws related to how they handled children's data. Looks like TikTok needs to seriously rethink its data practices in Europe.