Ireland fines TikTok €530 million for data transfers to China

Ireland’s Data Protection Commission (DPC) has today fined TikTok €530 million and ordered corrective measures following its inquiry into TikTok’s data transfers from the European Economic Area to China. TikTok is now also required to bring its processing into compliance within six months. If TikTok does not comply within this timeframe, the DPC may suspend the company’s data transfers to China.

DPC Deputy Commissioner Graham Doyle commented:

“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

In April 2025, TikTok informed the DPC that limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry.

The DPC’s decision as the Lead Authority for TikTok was taken under the GDPR cooperation mechanism. The other EU DPAs had no objections to the DPC’s draft decision. The DPC will publish the full decision in due course.

Sandra Skehan, Deputy Commissioner and Head of Regulatory Activity, Data Protection Commission, Ireland will speak on “Mastering the Maze: Navigating DSAR Compliance Across the UK and EU” and

Douglas McMahon, Partner, McCann FitzGerald, Ireland, will speak about “Recent decisions of Ireland’s Data Protection Commission” at: Privacy Laws & Business 38th International Conference