China’s TikTok has been slapped with a huge fine by Ireland’s data protection watchdog for a General Data Protection Regulation (GDPR) violation.
The Irish Data Protection Commission (DPC) announced on Friday “its final decision following an inquiry into TikTok Technology Limited,” and said it is fining TikTok a total of €530m (£452m) and ordered it to fix its data transfer violation within six months.
This is not the first time that TikTok has been fined by Ireland’s DPC. In September 2023 the DPC concluded that TikTok had breached GDPR child privacy laws between 31 July 2020 and 31 December 2020, and therefore fined the firm €345m (£294m).
GDPR violation
Ireland’s DPC said an inquiry had been launched in September 2021 due to its role as the lead supervisory authority for TikTok in Europe, due to the fact that TikTok’s European headquarters is based in Dublin.
It examined the lawfulness of TikTok’s transfers of personal data of users of the TikTok platform in the EEA to the People’s Republic of China.
In addition, the inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.
Under the GDPR, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection.
The DPC found that TikTok infringed the GDPR regarding its transfers of EEA User Data to China and its transparency requirements.
“The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months,” the regulator stated. “The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.”
“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries,” said DPC Deputy Commissioner Graham Doyle.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Doyle.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” said Doyle.
Throughout the Inquiry, TikTok had informed the DPC that it did not store EEA User Data on servers located in China.
However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry.
TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously,” added Deputy Commissioner Doyle. “Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
TikTok appeal
TikTok has reportedly said it strongly disagreed with the decision and plans to appeal.
Meanwhile in the United States, it was revealed that the Federal Trade Commission (FTC) was investigating TikTok for its data and security practices.
And in April 2023 the UK’s Information Commissioner’s Office (ICO) had fined TikTok £12.7 million for failing to protect the privacy of children aged under 13.