- I found the 15 best Mother's Day gifts for tech-loving moms (and you can shop them on Amazon)
- Introducing Docker MCP Catalog and Toolkit: The Simple and Secure Way to Power AI Agents with MCP Tools | Docker
- Zyxel launches 100GbE switch for enterprise networks
- Finally, I found an Android tablet that can withstand my durability torture tests
- I've tested every Linux music player, and this one is my new favorite - here's why
TikTok Fined €530m Over Transfers of European User Data to China
The Irish Data Protection Commission (DPC) announced on May 2 that it was issuing a €530m ($600m) fine to TikTok’s European branch following an inquiry into the company’s transfers of users in the European Economic Area (EEA) to China.
The DPC, Ireland’s national data protection regulator, is the Lead Supervisory Authority for TikTok in the EU.
It launched an inquiry into TikTok Technology Ltd and TikTok Ireland in September 2021 to examine the lawfulness of the social media giant’s transfers of personal data of users of the TikTok platform in the EEA to China. The inquiry assessed whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the EU’s General Data Protection Regulation (GDPR).
TikTok Failed to Ensure Equivalent Data Protection in China
Despite previously assuring that it did not store EEA user data on servers located in China, TikTok notified the DPC in April 2025 that some EEA user data had been identified on such servers in February 2025.
“TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry,” the DPC said in a public statement.
Therefore, Des Hogan and Dale Sunderland, both Commissioners for Data Protection, leading the investigation, found that TikTok infringed Article 46(1) of GDPR regarding its transfers of EEA user data to China and Article 13(1)(f) of GDPR regarding its transparency requirements.
Additionally, the DPC considers that TikTok’s own assessment of Chinese law revealed that it does not provide equivalent protection to EU law for personal data transferred to China.
Specifically, Chinese laws such as the Anti-Terrorism Law and National Intelligence Law diverge from EU standards. The DPC concluded that TikTok failed to properly assess the level of protection for EEA users’ data processed in China, which impacted its ability to implement adequate safeguards and ensure an equivalent level of protection.
Graham Doyle, the DPC Deputy Commissioner, commented: “TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” he added.
The total monetary sanction of €530m ($600m) consists of a €45m ($50m) fine for its infringement of Article 13(1)(f) GDPR and a €485m fine for its infringement of Article 46(1) GDPR.
Alongside these fines, the DPC has required TikTok to bring its processing into compliance within six months.
The decision also includes an order suspending TikTok’s data transfers to China if processing is not brought into compliance within this timeframe.
TikTok to Appeal the DPC’s Decision
TikTok expressed its disagreement with the Irish regulator’s ruling and announced its intention to lodge a full appeal.
Christine Grahn, TikTok’s head of public policy and government relations for Europe, wrote in a blog post on May 2 that a recent decision overlooked Project Clover, a €12bn ($14bn) initiative launched in 2023 to ensure the security of European users’ data.
Grahn stated that the decision was based on a specific period in the past, before Project Clover was implemented, and did not consider the current safety measures.
“It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place,” Grahn said.
“The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them,” she added.
Deputy Commissioner Doyle said the DPC takes these recent developments “very seriously.”
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” he added.
Photo credit: Rokas Tenys/Shutterstock
