TikTok Fined €530 Million by EU Over GDPR Breaches and Data Transfers to China
The European Union’s lead privacy watchdog has imposed a €530 million ($600 million) fine on TikTok over its failure to safeguard user data in line with General Data Protection Regulation (GDPR) standards.
The fine, issued by Ireland’s Data Protection Commissioner (DPC), follows a four-year investigation into TikTok’s handling of European user data, particularly the remote access granted to staff in China. The regulator concluded that TikTok did not provide the level of protection required under EU law, especially regarding the potential for Chinese government access under national security legislation.
TikTok Ordered to Comply Within Six Months or Face Data Transfer Suspension
The DPC has given TikTok six months to bring its data processing practices into compliance. If not, the company must suspend all transfers of European user data to China.
“TikTok failed to demonstrate that EU users’ personal data accessed remotely from China was adequately protected under EU law,”
— DPC statement
Although TikTok claimed throughout the inquiry that no user data was stored on Chinese servers, it recently admitted that some data had been stored in China as of February 2024, but was later deleted.
“The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted,”
— DPC Deputy Commissioner Graham Doyle
TikTok Disputes the Decision and Plans to Appeal
TikTok strongly contested the findings, stating that its cross-border data access follows the EU’s own mechanisms, including Standard Contractual Clauses (SCCs).
“This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,”
— TikTok spokesperson
TikTok also said that the ruling failed to recognize new data security controls it implemented in 2023, including independent monitoring of data access and the use of regional data centers in Europe and the United States.
The company emphasized that it has never received a request for EU user data from Chinese authorities, nor has it ever provided any such data.
TikTok Faces Mounting Scrutiny in the EU
This is TikTok’s second major GDPR violation. In 2023, the platform was fined €345 million for mishandling children’s personal data.
The DPC, headquartered in Ireland, serves as the EU’s lead data regulator for global tech firms like TikTok, Meta, Microsoft, and X (formerly Twitter), due to their regional bases in the country.
Under GDPR rules, regulators can impose fines up to 4% of a company’s global turnover. The regulation covers all EU member states, as well as Iceland, Liechtenstein, and Norway under the European Economic Area agreement.
The DPC’s latest action adds to growing regulatory pressure on TikTok as it faces increasing compliance demands across Western markets concerning data sovereignty, user privacy, and cross-border data transfers.
