- Irish Data Protection Commission fines TikTok EUR 530M for unlawful data transfers to China.
- EUR 485M for unauthorized remote access by employees in China; EUR 45M for breach of duty to inform.
- TikTok had failed to carry out necessary risk assessments; possible access to EEA data by Chinese authorities had not been sufficiently addressed.
- TikTok announces appeal; DPC orders corrections within six months or suspension of transmissions.
The Irish Data Protection Commission (DPC) imposed a fine of EUR 530M on TikTok on May 2, 2025 – EUR 485M for unlawful transfers of personal data to China and EUR 45M for a breach of the duty to inform:
- Media release (the decision itself is not yet available)
In September 2023, TikTok was equipped with a fine of EUR 345M. Only fines against Amazon (EUR 746M) and Facebook/Meta (EUR 1.2 billion) have been higher than the current fine. -
The transfer of personal data in question took place through remote access by TikTok employees in China. TikTok had apparently failed to verify this transfer as such:
As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.
TikTok was further obliged to bring its data processing into compliance with the GDPR within six months or to suspend the transfers thereafter.
TikTok has announced that it will appeal against the decision. The DPC had not sufficiently considered TikTok’s protective measures (“Project Clover”) and there had never been any requests from Chinese authorities for European user data.