UPDATE — NOVEMBER 2025: As of November 2025, the Irish DPC’s €530 million fine and corrective order against TikTok remain fully in force. TikTok has appealed the decision before the Irish High Court and is also contesting parts of it at the EU level, arguing that Chinese staff access to EEA data was limited and contractually safeguarded under GDPR Articles 46 and 49. Those cases are still pending.
The company says it met the six-month compliance deadline by expanding Project Clover, which now stores all EEA user data in Ireland and Norway, mirroring the “Project Texas” localization model used in the U.S. — but the DPC has not yet confirmed full compliance. The European Data Protection Board has issued no follow-up order, though French and German authorities have begun verification inquiries. The fine has not been reduced or suspended; TikTok reportedly placed the amount in escrow while appeals continue. In summary: no change to the penalty, appeals remain active, and oversight of TikTok’s EU-based data-handling reforms is ongoing.
ORIGINAL NEWS STORY:
TikTok Fined €530 Million by Irish Regulator Over Unlawful Data Transfers to China
The Irish Data Protection Commission (DPC) has fined TikTok €530 million and ordered corrective action following an investigation into the platform’s unlawful transfer of personal data from users in the European Economic Area (EEA) to China.
The DPC’s inquiry, acting in its role as lead supervisory authority under the General Data Protection Regulation (GDPR), found that TikTok Technology Limited failed to ensure an “essentially equivalent” level of data protection for EEA users whose data was accessed remotely by staff in China. The platform was also found to have breached transparency obligations by not properly informing users about the nature and destinations of the data transfers.
“The GDPR requires that the high level of protection provided within the EU continues where personal data is transferred to other countries,” said DPC Deputy Commissioner Graham Doyle. “TikTok did not meet these obligations, particularly in relation to the risk of access by Chinese authorities under national security laws.”
The DPC’s findings stemmed in part from TikTok’s own assessment of Chinese legal frameworks, including China’s Anti-Terrorism Law and National Intelligence Law, which the platform acknowledged could diverge significantly from EU privacy standards.
As part of the decision, TikTok has been ordered to bring its data processing operations into full compliance within six months. If it fails to do so, its data transfers to China will be suspended.
The investigation also revealed that TikTok submitted inaccurate information to the DPC, initially claiming that no EEA user data was stored in China. However, the company later admitted that a limited amount of such data had in fact been stored there and has since been deleted. The DPC is considering whether further regulatory action is warranted.
The fine includes €485 million for the unlawful data transfers and €45 million for failing to meet GDPR transparency requirements between July 2020 and December 2022.
The full decision will be published by the DPC in due course.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
