The Irish Data Protection Commission (DPC) has fined TikTok a staggering €530 million ($601 million) for violating the GDPR by transferring European user data to China without ensuring equivalent protection standards. This landmark decision marks one of the largest fines under GDPR and places a spotlight on the persistent challenge of cross-border data transfers—particularly to jurisdictions like China with divergent national security and surveillance laws.
In this episode, we break down the DPC’s findings, which include TikTok’s failure to verify that Chinese legal protections matched EU standards, inadequate assessments of Chinese laws, and a lack of transparency in its privacy policies. The fine also follows TikTok’s admission in 2025 that some EEA user data was in fact stored in China—contradicting earlier statements and raising the possibility of further regulatory action.
We’ll also examine TikTok’s defense, including its multi-billion-euro “Project Clover” initiative, and its warnings about the ruling’s potential implications for all global businesses operating in the EU. From privacy law to data localization, this episode explores the evolving landscape of international data governance, what this decision means for GDPR enforcement in 2025, and why every global company should be paying attention.
