The Irish Information Safety Fee (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the private information of customers within the European Financial Space (EEA) to China, violating the European Union’s GDPR information safety rules.
The executive fines imposed by the Irish watchdog include a positive of €485 million for its infringement of Article 46(1) GDPR concerning the lawfulness of the info transfers to China and a positive of €45 million for its infringement of Article 13(1)(f) concerning the shortage of transparency.
TikTok was additionally ordered to carry its information processing into compliance inside six months, with the DPC planning to droop all information transfers to China if the corporate fails to replace its insurance policies in time.
DPC officers identified that the difficulty goes past the situation of the servers and can be in regards to the threat that Chinese language authorities may entry the info of European customers beneath home legal guidelines regarding terrorism and espionage, which contravene EU requirements.
“TikTok’s private information transfers to China infringed the GDPR as a result of TikTok did not confirm, assure and reveal that the private information of EEA customers, remotely accessed by workers in China, was afforded a degree of safety primarily equal to that assured throughout the EU,” mentioned DPC Deputy Commissioner Graham Doyle.
“Because of TikTok’s failure to undertake the required assessments, TikTok didn’t deal with potential entry by Chinese language authorities to EEA private information beneath Chinese language anti-terrorism, counter-espionage and different legal guidelines recognized by TikTok as materially diverging from EU requirements.”
The DPC added that TikTok claimed in the course of the investigation that it didn’t retailer customers’ information from the European Financial Space (EEA) on servers positioned in China.
Nevertheless, in April 2025, TikTok revealed that it had found in February 2025 that some EEA consumer information had been saved on servers in China, contradicting the corporate’s earlier statements.
“The DPC is taking these current developments concerning the storage of EEA Person Information on servers in China very significantly,” Doyle mentioned in a Friday assertion. “While TikTok has knowledgeable the DPC that the info has now been deleted, we’re contemplating what additional regulatory motion could also be warranted, in session with our peer EU Information Safety Authorities.”
TikTok to attraction DPC’s resolution
Nevertheless, Christine Grahn, TikTok’s Head of Public Coverage & Authorities Relations for Europe, mentioned the corporate disagrees with the DPC’s resolution and that it is planning to attraction it as a result of it fails to think about TikTok’s new Venture Clover information safety initiative.
“Below Venture Clover, TikTok has applied superior privacy-enhancing applied sciences (PETs), comparable to encryption-on-access and differential privateness, to make sure that non-restricted information is de-identified earlier than it may be accessed by staff in China,” Grahn mentioned. “Crucially, unbiased cybersecurity specialists at NCC Group have verified that these safeguards are working as supposed.”
That is the third-largest positive imposed by the Irish information safety authority up to now, after sanctioning Amazon with 746 million euros for its focused behavioral promoting practices and Fb with 1.2 billion euros for transferring information of EU-based customers to the US.
Beforehand, TikTok was slapped with a €345 million ($368 million) positive by the DPC for violating the privateness of youngsters whereas processing their information and using “darkish patterns” in the course of the registration course of and whereas posting movies, nudging customers towards choosing choices that compromised their privateness.
In January 2023, TikTok was additionally fined €5 million ($5.4 million) by France’s information safety authority (CNIL) for failing to adequately inform customers about its cookie utilization and making it difficult to opt-out.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and find out how to defend towards them.
