TikTok has been hit with a €530 million fine by Ireland’s Data Protection Commission (DPC), the European Union’s lead regulator in this case, over serious breaches of user data protection rules.
The platform, owned by Chinese tech giant ByteDance, was also given a six-month deadline to fix its data practices or risk being banned from transferring EU user data to China.
The regulator said TikTok failed to guarantee that personal data belonging to users in the EU, data that was at times remotely accessed by staff in China, was being adequately safeguarded. The platform’s explanations didn’t convince the DPC.
In fact, TikTok couldn’t show that the Chinese laws governing data access, including counter-espionage regulations, did not clash with the high standards required by the EU’s General Data Protection Regulation (GDPR).
Despite TikTok’s protests, the DPC stood firm. It found that TikTok’s use of “standard contractual clauses” did not go far enough in addressing the risk that Chinese authorities could demand access to European user data.
And while TikTok insisted that no such request has ever been made by Chinese authorities, that didn’t change the outcome. The DPC made its ruling based on the risks—not just past actions.
Here’s where things get even more serious. During the course of the DPC’s four-year investigation, TikTok repeatedly claimed that no EU data was stored in China.
But earlier this year, the company admitted that it discovered some data had been stored in China after all. The data was deleted, they said, but the damage was already done.
Deputy Commissioner Graham Doyle didn’t hold back: “The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted.”
This is not the first time TikTok has found itself in trouble with EU regulators. Just last year, the company was fined €345 million for mishandling children’s personal data.
TikTok has vowed to fight the latest decision. In a statement, the company said, “This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.”
It claims to have rolled out robust changes since 2023 under a data protection initiative called Project Clover. The project includes three new data centres in Europe and oversight by the British cybersecurity firm NCC Group.
With over 175 million users across Europe, TikTok insists its updated policies are some of the strongest in the tech industry. But the DPC isn’t buying it—not yet.
Until TikTok brings its data handling practices in line with EU law, the platform faces the risk of losing its ability to transfer user information from the EU to China entirely.
Since 2018, the DPC has held enforcement authority under GDPR and has levied sanctions on several tech giants with European headquarters in Ireland.
Microsoft, LinkedIn, X (formerly Twitter), and Meta have all been fined. The rules are clear—companies can be fined up to 4% of their global turnover if they break them.
