TikTok’s parent company ByteDance Ltd. has been fined €530 million by the Irish Data Protection Commission (DPC) for unlawfully transferring personal data of European users to servers in China.
The regulator confirmed the decision in a statement issued this week, citing violations of the European Union’s General Data Protection Regulation (GDPR).
As TikTok’s main data operations for the European Economic Area (EEA) are based in Ireland, the DPC serves as its lead supervisory authority under the EU’s one-stop-shop mechanism. The commission concluded that the Chinese-owned video-sharing platform breached GDPR provisions relating to data transfers outside the bloc.
The investigation found that staff at ByteDance in China accessed data of EU-based TikTok users remotely, without adequate safeguards in place to ensure an equivalent level of data protection as required under EU law. The DPC noted that TikTok failed to demonstrate that transferred data enjoyed protections in line with those provided within the EU, such as legally binding instruments or standard contractual clauses approved by the European Commission.
TikTok initially informed the Irish regulator that no European personal data were stored on servers located in China. However, in February 2025, the DPC discovered that a limited volume of such data had in fact been stored in China, contradicting the company’s earlier assurances. ByteDance later confirmed this and stated that the data in question had since been deleted.
The DPC further highlighted the seriousness of the infringement, particularly in the context of transparency and user trust. TikTok’s handling of cross-border data flows, according to the decision, lacked both sufficient documentation and legal justification under existing transfer mechanisms permitted by the GDPR.
In addition to the fine, the regulator has given TikTok a six-month deadline to bring its operations fully into compliance. This includes implementing measures to prevent any further unlawful data transfers and to establish transparent safeguards for the handling of personal information originating from the EU.
TikTok has announced its intention to appeal the decision. In a statement, the company said it disagreed with the findings and the scale of the fine, claiming it has made “substantial progress” in enhancing its data protection practices within Europe, including the development of local data centres and the migration of EU data to servers based in Ireland and Norway.
The case adds to growing scrutiny of TikTok across the European Union and internationally. The European Commission and several national governments have already introduced restrictions on the use of the app on official devices, citing concerns over data security and the possibility of unauthorised access by the Chinese state. ByteDance has consistently denied that it shares data with the Chinese government or that it would comply with any such request.
The Irish ruling marks one of the largest fines issued under the GDPR to date. It also follows a series of recent enforcement actions by the DPC, including penalties against Meta Platforms and other major tech firms over similar cross-border data issues.
Under the GDPR framework, transfers of personal data to third countries such as China are only permitted if the recipient country ensures an adequate level of data protection. In the absence of an EU adequacy decision for China, companies are required to rely on alternative mechanisms and to conduct thorough risk assessments to ensure that transferred data remain secure.
ByteDance is currently expanding its “Project Clover” initiative, aimed at reinforcing TikTok’s compliance with EU rules by localising data storage and limiting external access. However, privacy advocates and regulators have expressed concern that such efforts may not sufficiently address underlying structural risks.
The outcome of the appeals process is likely to set an important precedent for how data transfers to China by multinational technology companies will be assessed and regulated going forward.
This latest development underscores the EU’s increasingly assertive stance on digital sovereignty and data protection, particularly where geopolitical sensitivities intersect with regulatory enforcement.
Read also:
TikTok’s Political Power: AI’s Take on a Social Media Wildcard
