The Irish Information Safety Fee (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the non-public knowledge of customers within the European Financial Space (EEA) to China, violating the European Union’s GDPR knowledge safety rules.
The executive fines imposed by the Irish watchdog include a advantageous of €485 million for its infringement of Article 46(1) GDPR relating to the lawfulness of the info transfers to China and a advantageous of €45 million for its infringement of Article 13(1)(f) relating to the shortage of transparency.
TikTok was additionally ordered to carry its knowledge processing into compliance inside six months, with the DPC planning to droop all knowledge transfers to China if the corporate fails to replace its insurance policies in time.
DPC officers identified that the problem goes past the situation of the servers and can also be in regards to the threat that Chinese language authorities might entry the info of European customers underneath home legal guidelines regarding terrorism and espionage, which contravene EU requirements.
“TikTok’s private knowledge transfers to China infringed the GDPR as a result of TikTok did not confirm, assure and display that the non-public knowledge of EEA customers, remotely accessed by employees in China, was afforded a stage of safety primarily equal to that assured throughout the EU,” stated DPC Deputy Commissioner Graham Doyle.
“On account of TikTok’s failure to undertake the mandatory assessments, TikTok didn’t handle potential entry by Chinese language authorities to EEA private knowledge underneath Chinese language anti-terrorism, counter-espionage and different legal guidelines recognized by TikTok as materially diverging from EU requirements.”
The DPC added that TikTok claimed in the course of the investigation that it didn’t retailer customers’ knowledge from the European Financial Space (EEA) on servers positioned in China.
Nonetheless, in April 2025, TikTok revealed that it had found in February 2025 that some EEA consumer knowledge had been saved on servers in China, contradicting the corporate’s earlier statements.
“The DPC is taking these current developments relating to the storage of EEA Person Information on servers in China very severely,” Doyle stated in a Friday assertion. “While TikTok has knowledgeable the DPC that the info has now been deleted, we’re contemplating what additional regulatory motion could also be warranted, in session with our peer EU Information Safety Authorities.”
TikTok to attraction DPC’s resolution
Nonetheless, Christine Grahn, TikTok’s Head of Public Coverage & Authorities Relations for Europe, stated the corporate disagrees with the DPC’s resolution and that it is planning to attraction it as a result of it fails to contemplate TikTok’s new Venture Clover knowledge safety initiative.
“Below Venture Clover, TikTok has applied superior privacy-enhancing applied sciences (PETs), comparable to encryption-on-access and differential privateness, to make sure that non-restricted knowledge is de-identified earlier than it may be accessed by staff in China,” Grahn stated. “Crucially, impartial cybersecurity consultants at NCC Group have verified that these safeguards are working as meant.”
That is the third-largest advantageous imposed by the Irish knowledge safety authority to date, after sanctioning Amazon with 746 million euros for its focused behavioral promoting practices and Fb with 1.2 billion euros for transferring knowledge of EU-based customers to the US.
Beforehand, TikTok was slapped with a €345 million ($368 million) advantageous by the DPC for violating the privateness of youngsters whereas processing their knowledge and using “darkish patterns” in the course of the registration course of and whereas posting movies, nudging customers towards choosing choices that compromised their privateness.
In January 2023, TikTok was additionally fined €5 million ($5.4 million) by France’s knowledge safety authority (CNIL) for failing to adequately inform customers about its cookie utilization and making it difficult to opt-out.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend towards them.
