SOCIAL MEDIA platform TikTok has been fined €530m by the Irish Data Protection Commission (DPC) for transferring European users' data to China.
The DPC has also ordered the Chinese company to bring its processing into compliance within six months.
The decision includes an order suspending TikTok's transfers to China if processing is not brought into compliance within that time.
In a statement, TikTok said it disagreed with the decision and plans to appeal in full.
'Potential access by Chinese authorities'
The DPC said that throughout the inquiry, TikTok said it did not store European users' data on servers located in China.
However, in April 2025, TikTok informed the commission of an issue that it had discovered in February 2025 where limited data from European users had been stored on servers in China.
The commission found that TikTok infringed the GDPR regarding its transfers of European users' data to China and its transparency requirements.
"The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries," said DPC Deputy Commissioner Graham Doyle.
"TikTok's personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
"As a result of TikTok's failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards."
Mr Doyle added: "Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities."
'Considerable data security'
In its response, TikTok criticised the scope of the inquiry and said that despite the issue, no data had been shared with Chinese authorities.
"The decision primarily focuses on a select period from years ago, before the 2023 implementation of Project Clover, our €12bn data security initiative," said Christine Grahn, TikTok's Head of Public Policy & Government Relations in Europe.
"The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.
"The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm.
"The decision fails to fully consider these considerable data security measures.
"With 175m users across Europe, more than 6,000 employees in the region, and a platform that helped small businesses contribute €4.8bn to GDP and over 51,000 jobs, TikTok is deeply integrated into the European economy.
"This decision has implications not just for TikTok, but for any company in Europe operating globally. We disagree with this decision and intend to appeal it in full."
Earlier this year, TikTok informed the Irish Government of its plan to make redundancies in Ireland as part of a global restructuring.
The Communications Workers' Union said the company was shedding up to 300 employees, roughly 10 per cent of its Irish workforce.
Last September, TikTok reportedly scraped a plan for a second office close to its Sorting Office site in Dublin 2.
See More: Data Protection Commission, GDPR, Tiktok
