TikTok has been fined €530 million ($600 million) by Ireland’s Data Protection Commissioner (DPC), its lead European Union privacy regulator, over concerns related to cross-border data transfers and user privacy.
The regulator also ordered the Chinese-owned social media company to suspend data transfers to China within six months unless it brings its data processing practices into compliance with EU law.
The DPC concluded that TikTok, owned by Beijing-based ByteDance, failed to demonstrate that the personal data of EU users, some of which is remotely accessed by staff in China, is adequately protected under the EU’s General Data Protection Regulation (GDPR). The ruling emphasized that the company did not sufficiently address the risk of access by Chinese authorities under local counter-espionage and surveillance laws.
TikTok strongly contested the decision, stating that it uses standard contractual clauses (SCCs) under EU law to govern cross-border data access, providing what it described as tightly controlled and limited remote access. The company said it plans to appeal the ruling and criticized the DPC for not fully considering recent data security enhancements introduced in 2023.
These measures include independent monitoring of data access and storing EU user data in dedicated centers located in Europe and the United States.
TikTok, which has 175 million users across Europe, maintains that it has never received a request for EU user data from Chinese authorities and has never provided such data. The company warned that the ruling could have broad implications, stating, “This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.”
The DPC further revealed that TikTok, despite previously claiming it did not store EU data in China, disclosed in April that it had identified and deleted a limited amount of such data that had been stored in China earlier this year.
The regulator said it is reviewing whether additional enforcement actions are necessary.
This marks the second major penalty TikTok has received from the DPC. In 2023, the platform was fined €345 million for violating children’s privacy rights under EU law.
Ireland’s DPC has emerged as a powerful enforcer of GDPR regulations, with authority over several global tech firms that base their European operations in Ireland. Since gaining sanctioning powers in 2018, the regulator has also issued fines against Meta, X (formerly Twitter), LinkedIn, and Microsoft.
Under GDPR, regulators can impose fines of up to 4% of a company’s global annual revenue across all European Economic Area member states, including Iceland, Liechtenstein, and Norway.
