As well as the administrative fines, TikTok has been ordered to bring its data processing practices into compliance with the GDPR within six months.
The Irish Data Protection Commission (DPC) has issued a €530m fine to TikTok over transfers of European user data to China.
In an announcement today (2 May), the DPC declared that the social media giant’s data transfers had breached the General Data Protection Regulation (GDPR). The authority also found that TikTok had failed to meet transparency requirements under the GDPR in relation to the provision of information to users regarding such transfers.
Today’s verdict – which was first reported on last month – concludes an investigation that the DPC began in 2021 over TikTok’s transfer of data to third countries.
According to the DPC, throughout the inquiry TikTok informed the authority that it did not store EEA user data on servers located in China. However, last month TikTok told the DPC that it had discovered in February 2025 that limited EEA user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the inquiry.
“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” commented DPC deputy commissioner Graham Doyle.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
As well as the administrative fine, TikTok has also been issued an order to bring its data processing into compliance with the GDPR within six months. While TikTok has informed the DPC that the data has now been deleted, Doyle said that the commission is now “considering what further regulatory action may be warranted”.
In response to the DPC’s decision, TikTok has outlined its disagreement with the verdict, stating that the decision doesn’t consider the company’s “stringent” data security measures featured in Project Clover – its billion-euro data security initiative.
“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” read a statement from Christine Grahn, TikTok’s European head of public policy and government relations.
“It delivers a blow to the European Union’s competitiveness. Through Project Clover, a voluntary multibillion-euro initiative, TikTok has implemented a comprehensive solution that offers unmatched protections for European user data and privacy, while safeguarding global data flows and supporting continued innovation.
“At a time when European businesses and economies need innovation, growth and jobs, we believe the EU should welcome and support solutions like Project Clover, as a way to facilitate secure data flows between the EU and non-adequate countries, while guaranteeing the most robust protections for European data security and privacy.”
Across the pond, TikTok’s US operations remain in uncertainty. Despite the 5 April deadline for ByteDance to divest of the majority of its shares in TikTok, the social media giant was granted a 75-day reprieve thanks to an executive order signed by US president Donald Trump.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
