EU Fines TikTok €530 Million Over Data Privacy Breach Linked to China Access
The watchdog also criticised TikTok for not addressing the risk of Chinese government access to this data under laws that diverge from EU privacy standards.
The European Union has imposed a record €530 million ($600 million) fine on TikTok after a four-year investigation found the social media giant illegally transferred European user data to China and failed to ensure it was protected from access by Chinese authorities.
The penalty, announced by Ireland’s Data Protection Commission (DPC), also cited TikTok for a lack of transparency with users about where their personal data was being sent, ordering the company to comply with EU data protection rules within six months.
The DPC, which serves as TikTok’s lead regulator in the EU due to the company’s European headquarters in Dublin, concluded that TikTok “failed to verify, guarantee and demonstrate that the personal data of European users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” according to Deputy Commissioner Graham Doyle.
The watchdog also criticised TikTok for not addressing the risk of Chinese government access to this data under laws that diverge from EU privacy standards.
During the probe, TikTok acknowledged that some European user data had been stored in China, contradicting its previous denials. The DPC revealed that TikTok had initially provided inaccurate information about its data storage practices, only admitting in April 2024 that some data had indeed been stored in China. This revelation has prompted the regulator to consider further action.
TikTok strongly contests the ruling and plans to appeal. The company maintains it has never received or complied with requests from Chinese authorities for European user data.
TikTok also argues that the investigation focused on practices that ended in May 2023, before the launch of its “Project Clover” data localisation initiative, which includes three European data centres and independent oversight by cybersecurity firm NCC Group.
Christine Grahn, TikTok’s European head of public policy, said the decision “fails to fully consider these considerable data security measures”.
This is the second major fine TikTok has faced from the Irish regulator, following a €345 million penalty in 2023 for breaches related to children’s data processing. The latest ruling underscores persistent concerns in Europe over the privacy risks posed by Chinese-owned platforms and the challenges of enforcing strict data protection standards across borders.
