Ireland’s Data Protection Commission (DPC) on Friday imposed a fine of popular video-sharing platform Tiktok € 530 million ($ 601 million), which violates data security rules in the region by transferring data from European users to China.
“Tiktok violated GDPR about its transfer of EEA [European Economic Area] User data for China and its transparency requirements, “DPC said in a statement.” The decision involves a total administrative penalty of € 530 million and an order required to bring Tiktok into its processing in compliance within 6 months. ,
The order, moreover, the company needs to suspend data transfer in China within a time period.
The penalty is the result of an investigation that was launched in September 2021, which investigated the company’s transfer of personal data in China and compliance with stringent data security laws about data transfer in third countries.
Commenting on the verdict, DPC Deputy Commissioner Graham Doyle said that personal data transfer in China went against Article 46 (1) of the General Data Protection Regulation (GDPR) because it failed to verify and guarantee it that EEA users’ personal data was added within the block.
Doyle further stated that Tikok did not address the concerns arising out of possible access by Chinese authorities under the anti-terrorism and counter-Jasoon laws in the country and which “physically” separated from the standards of the European Union.
The DPC also blamed the Tiktok for providing misinformation during the investigation that it did not store the data of EEA users in the Chinese server, only last month to reveal the Watchdog that it had identified an issue in its system in February 2025, resulting in a limited EEA data to be really stored in China.
“As long as Tiktok has informed the DPC that the data has now been removed, we are considering that our colleagues can take further regulatory action in consultation with the European Union data security officers,” said the Doyle.
Crystine Crashon, head of Tikok, the head of public policy and government relations for Europe, said that the decision failed to take into account a data security initiative aimed at the purpose of protecting European user data, and it does not reflect the ruling current security measures.
“The DPC recorded in its report itself that Tikokk has consecutively said: it has never received requests from Chinese authorities for European user data, and has never provided them with European user data,” said Grahan.
This is the second fine imposed by the DPC against the company owned by the bidence. In September 2023, Tikok was assigned a fine of € 345 million (then approximately $ 368 million) for violating GDPR laws for dealing with children’s data.
