Irish Information Security Forum

DPC Fines TikTok €530 Million Over Data Transfers to China

The Irish Data Protection Commission (DPC) has imposed a €530 million fine on TikTok following an inquiry into the social media platform’s handling of European user data.

The investigation focused on TikTok’s transfers of personal data from users in the European Economic Area (EEA) to China, assessing whether these transfers complied with the General Data Protection Regulation (GDPR).

The DPC determined that TikTok failed to verify, guarantee, and demonstrate that EEA user data, remotely accessed by staff in China, was afforded a level of protection equivalent to that guaranteed within the EU. The inquiry also found that TikTok’s transparency measures regarding these data transfers were inadequate, violating GDPR requirements.

DPC Deputy Commissioner Graham Doyle commented:

“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries. TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

As part of the ruling, TikTok has been ordered to bring its data processing operations into compliance within six months. If the company fails to meet this deadline, the DPC has mandated a suspension of TikTok’s data transfers to China.

TikTok had previously informed regulators that it did not store EEA user data on servers in China. However, in April 2025, the company disclosed that limited EEA user data had indeed been stored on Chinese servers, contradicting its earlier statements. This revelation has prompted further scrutiny, with the DPC considering additional regulatory actions.

TikTok has indicated that it intends to appeal the decision, arguing that its Project Clover initiative has already addressed many of the concerns raised by regulators.

For further details, you can read the full decision on the Irish Data Protection Commission’s website.

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

More News

M&S Halts Online Orders After Cyber Incident
Contactless Payments Restored Amid Ongoing Disruption

EU to impose €700m Fines for Apple and Meta
marks the first direct financial penalties under the Digital Markets Act.

IISF Members / Sponsors

secured by edgescan digital security radar logo