TikTok must pay a fine of 530 million euros - for data transfers to China

The Irish data protection authority DPC has imposed a fine of 530 million euros on the video platform TikTok.
Categories:

The Irish Data Protection Commission (DPC) has imposed a fine of 530 million euros on the video platform TikTok for data protection violations. TikTok had forwarded European users' data to China and violated transparency requirements, the DPC explained in a statement on May 2.

Background to the proceedings against TikTok

The DPC acted in its role as the lead Supervisory authority for TikTok within the meaning of the one-stop store procedure pursuant to Art. 56 GDPR. The subject of the investigation was, on the one hand, the lawfulness of data transfers to third countries in accordance with Chapter V GDPRespecially in countries without Appropriateness decision of the EU Commission.

Secondly, the authority examined whether TikTok complied with its transparency obligation pursuant to Art. 13 para. 1 lit. f GDPR has been duly complied with.

Unlawful data transfers to China

According to the DPC's findings, TikTok has in particular violated Art. 46 para. 1 GDPR violated. The company could not sufficiently ensure that personal data of EEA users when accessed by Chinese employees enjoy a level of protection equivalent to that of the GDPR is "essentially equivalent".

Particularly critical: TikTok's own assessment of Chinese law has already revealed significant deviations from European data protection standards - for example through the Chinese anti-terrorism law, the counter-espionage law and the national intelligence law.

Although TikTok uses so-called Standard contractual clauses (SCC), the DPC also found that no effective additional safeguards were in place to prevent or control access to data by Chinese government agencies. The measures taken in the context of the ECJ ruling "Schrems II" required additional technical, organizational and legal measures had not been sufficiently documented or implemented. This concerned, among other things Encryption sensitive data during remote access and the lack of transparent access protocols.

This deficiency led to the objection to TikTok's entire transmission practice. The DPC pointed out that TikTok's assessment of Chinese law itself did not provide "essential equivalence" with the GDPR and therefore lacks the basis for the selection and effectiveness of safety measures.

In the proceedings, TikTok referred to the ongoing infrastructure program "Project Clover", which provides for local data storage within the EU (particularly in Ireland and Norway) as well as independent control mechanisms. The DPC recognized this project as a positive step. However, it made the continuation of data transfers to China dependent on the full implementation of GDPR-compliant protection mechanisms.

Lack of transparency towards users

A key element of the DPC decision concerns TikTok's failure to provide users in the European Economic Area with clear and complete information about cross-border Processing of their personal data. According to Art. 13 para. 1 lit. f GDPR companies are obliged to inform data subjects transparently about whether and to which third countries their data will be transferred and how this will be done. Transmission takes place.

TikTok's data protection policy from October 2021 did not meet these requirements in key respects: neither were the specific third countries affected - in particular China - explicitly named, nor were the exact circumstances of the data transfers disclosed. In particular, it remained unclear that the transfers also involved remote data access by Chinese employees who were based in China. Server in Singapore and the USA. This lack of Transparency prevented users from exercising their data protection rights in full knowledge of the facts.

In the course of the proceedings, TikTok revised its privacy policy and submitted a new version dated December 2022 to the DPC. In the opinion of the authority, this new version met the requirements of Art. 13 para. 1 lit. f GDPRas it not only named the third countries by name, but also explained the type of access and the server locations in more detail. The DPC found that Infringement referred to the period from July 29, 2020 to December 1, 2022, during which TikTok did not sufficiently comply with its transparency obligations.

Reading tip: DMA violations - EU imposes 700 million euro fines on Apple and Meta

Misinformation during the procedure

A particularly serious aspect of the decision concerns TikTok's inadequate information policy towards the DPC during the ongoing proceedings. During the investigation, TikTok had repeatedly assured the DPC that no personal data of users from the EEA would be stored on servers in China. These assurances formed an essential basis for the DPC's assessment of the data flows.

However, in April 2025, TikTok informed the DPC that it had already discovered in February 2025 that, contrary to previous assurances, a limited amount of EEA user data had been stored on servers in China. TikTok explained that this was due to an internal error and a misunderstanding in the internal data classification. The affected data has since been deleted.

The DPC has taken this subsequent disclosure very seriously. The decision emphasizes that the provision of incorrect or misleading information in the context of supervisory procedures is a serious obstacle to effective control. Such misinformation can not only undermine the trust of the authority, but also significantly distort the data protection risk assessment.

The authority therefore announced a separate procedure to examine whether TikTok's behavior with regard to the late notification of data storage justifies further supervisory measures. Should intentional or grossly negligent conduct be established, this could lead to further sanctions.

Fine in the millions against TikTok

The DPC imposed a Fine totaling 530 million euros:

  • 485 million euros for breach of Art. 46 para. 1 GDPR (unlawful data transmission),
  • 45 million euros for violation of Art. 13 para. 1 lit. f GDPR (lack of Transparency).


TikTok was also obliged, within six months of the expiry of the complaint period, to stop all processing operations with the GDPR to be brought into line. Otherwise, all data transfers to China could be suspended.

Evaluation of the proceedings against TikTok

The DPC's decision has far-reaching significance beyond TikTok. It underlines the strict standards for international data transfers from the EU - especially to countries without Appropriateness decision. Companies are obliged to carry out in-depth legal assessments and take technical and organizational measures to guarantee an equivalent level of data protection.

In addition, the importance of transparent user information is once again emphasized. Data protection guidelines must be clear, complete and comprehensible - especially in the case of cross-border Processing.

Last but not least, the decision shows that incomplete or misleading disclosures to the supervisory authorities can have significant consequences. The DPC is already considering further regulatory action against TikTok for the delayed disclosure of the storage of EEA data in China.

Source: Notice from the Irish Data Protection Commission on the fine against TikTok

🌍 Do you want to carry out a Transfer Impact Assessment (TIA) and evaluate the level of data protection in the recipient country and take the necessary measures? Then get in touch with us! We offer you a tailor-made solution.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts