TikTok is facing another major penalty in Europe. Ireland’s Data Protection Commission (DPC) has fined the video-sharing app €530 million for sending European user data to China without proper protections.
The DPC announced the decision on May 2 after a long investigation. TikTok failed to guarantee that personal data from the European Economic Area (EEA) would stay protected once transferred to China. This violates Article 46(1) of the GDPR, which requires companies to ensure E.U.-level privacy standards for exported data.
Under the ruling, TikTok must stop these data transfers and fix its processes within six months. The order reflects how seriously E.U. regulators take data security, especially when it comes to international transfers.
The case began in September 2021. Investigators looked into TikTok’s cross-border data practices and found troubling gaps. For example, TikTok initially claimed it didn’t store E.U. data in China. But in early 2025, the company admitted that a system flaw led to some user data being stored on Chinese servers after all.
That admission came late. According to DPC Deputy Commissioner Graham Doyle, TikTok’s earlier statements misled the watchdog. He also said the company failed to consider the risk of Chinese authorities accessing user data under that country’s national security laws. These laws differ sharply from Europe’s stricter standards on transparency and user rights.
TikTok later deleted the data, but that didn’t resolve the issue. The DPC is still reviewing whether more regulatory steps are needed. It’s also working closely with other E.U. data protection agencies on next moves.
This isn’t TikTok’s first GDPR penalty. In 2023, the company received a €345 million fine for mismanaging children’s data. With this latest penalty, TikTok’s total GDPR-related fines now sit at nearly €900 million.
TikTok, however, pushed back. Christine Grahn, the company’s head of public policy in Europe, said the ruling ignores Project Clover. This program was designed to keep European data safer and out of reach from foreign governments. Grahn also said TikTok has never received a request for user data from Chinese officials.
Despite those claims, regulators clearly remain skeptical. Their message is simple: claims of future safeguards don’t excuse past failures.
As global privacy rules tighten, tech companies must do more than talk. They need to prove that user data is protected—everywhere it’s stored. TikTok’s case shows that when they don’t, the financial consequences can be steep.
