TikTok — Enforcement
Executive Summary
The Irish DPC fined TikTok €530 million for unlawfully transferring EEA user data to China and failing to meet GDPR transparency requirements. During the inquiry, TikTok disclosed it had discovered in February 2025 that some EEA user data had been stored on Chinese servers — contradicting its own prior representations. TikTok was ordered to suspend data transfers to China within six months.
What Happened
On May 2, 2025, the Irish Data Protection Commission fined TikTok €530 million for unlawfully transferring personal data of EEA users to China and failing to meet GDPR transparency requirements. TikTok failed to verify that EEA user data accessed remotely by staff in China received protections equivalent to EU standards, and did not address potential access by Chinese authorities under Chinese anti-terrorism and counter-espionage laws. During the inquiry, TikTok initially stated it did not store EEA user data on Chinese servers, but in April 2025 disclosed it had discovered in February 2025 that limited EEA user data had in fact been stored on servers in China, contradicting its prior evidence. TikTok has been ordered to bring its data processing into compliance within six months or fac...
Who Is Affected
Users of the TikTok platform in the European Economic Area are affected. Their personal data was transferred to and accessed in China without adequate legal protections, and some data was stored on Chinese servers contrary to TikTok's representations.
Why It Matters
This case demonstrates that cross-border data transfers to countries without equivalent privacy protections can violate the GDPR even when conducted by major technology platforms. The €530 million fine and the discovery that TikTok provided inaccurate information during the regulatory inquiry highlight both the enforcement powers of EU data protection authorities and the challenges of verifying company claims about international data flows. The ruling establishes that companies must actively assess and address risks of government access to user data under foreign laws before conducting such transfers.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources