Irish DPC fines TikTok €530M over EEA data transfers to China and orders corrective action.

Sameer Ahirrao -

The Irish Data Protection Commission (DPC) has issued its final decision after investigating TikTok Technology Limited. The investigation focused on whether TikTok’s transfer of personal data from users in the European Economic Area (EEA) to China was legal under the GDPR, and whether TikTok properly informed users about these transfers.

Under the Article 5 of GDPR, transparency and adequacy are key principles that promote lawful and fair use of personal data, while protecting individuals’ rights.

Transparency

This means people should clearly understand how their personal data is being collected, used, and protected.

  • Clear communication: Organizations must explain why and how data is processed.
  • Accessible information: Details must be easy to find and understand.
  • Privacy notices: Often used to share this information, but other methods are also acceptable.
  • Awareness of rights: Individuals should know their rights, such as accessing or correcting their data.

Adequacy

This ensures that only the necessary and relevant data is collected and used.

  • Data minimization: Collect only what is needed for the specific purpose.
  • Purpose limitation: Use data only for clear, legitimate purposes.
  • Relevance: Ensure the data collected is appropriate and not excessive.

The DPC concluded that TikTok violated multiple GDPR article related to:

  • Inadequate Protection of Transferred User Data transfer: Transferring user data to China, without ensuring adequate protection.
  • Lack of Transparency in Informing Users About Data Transfers: Failing to provide clear and complete information to users about these data transfers.

As a result, TikTok has been fined €530 million. In addition, it has also been ordered to fix these issues within six months. If not, TikTok's data transfers to China will be suspended.

The DPC highlighted that TikTok didn’t take necessary steps to ensure that EEA users’ personal data, which was accessed by staff in China, had the same level of protection as it would in the EU. TikTok also failed to properly assess the risk of Chinese authorities accessing this data under Chinese laws.

Furthermore, TikTok had previously told the DPC that EEA user data wasn’t stored in China. But in early 2025, it admitted that some data had in fact been stored on Chinese servers, contradicting its earlier statements. TikTok says the data has now been deleted, but the DPC is considering further action in response.

[1] Data Transfers Outside the EU – What the Law Says

The GDPR is designed to protect personal data in the EU/EEA. When that data is sent outside the region (to another country), it must still be protected under the same standard as GDPR. To make sure this happens, Chapter V lays out strict rules.

Data can only be transferred if:

  • The European Commission has decided that the third country offers adequate protection (an “Adequacy Decision”), or
  • The company transferring the data uses tools like Standard Contractual Clauses (SCCs) and confirms that the third country’s laws offer protection equivalent to EU standards.

So far, the EU has issued Adequacy Decisions for countries like Japan, the UK, the U.S. (under specific frameworks), and a few others.

If there’s no Adequacy Decision, the burden is on the company to assess the receiving country's laws and prove they offer strong data protection.

[2] What TikTok Did Wrong on Data Transfers

The Irish Data Protection Commission (DPC) found that TikTok failed to carry out a proper risk assessment and did not ensure adequate safeguards when transferring personal data of EEA users to China.

Under the GDPR (Article 46(1)), when a company transfers data to a country outside the EU/EEA that doesn’t have an Adequacy Decision, it must:

  • Assess the legal environment of that country, including any government surveillance or data access laws.
  • Identify any gaps between that country's laws and the EU’s data protection standards.
  • Implement safeguards (like Standard Contractual Clauses and additional technical or legal protections) to ensure the transferred data remains protected at a level essentially equivalent to EU standards.
  • Demonstrate and document that these measures are effective.

TikTok failed to do this.

While it used Standard Contractual Clauses (SCCs), it did not demonstrate that these clauses, along with any other safeguards, would effectively protect user data in China. In fact, TikTok’s own legal analysis admitted that certain Chinese laws, including:

  • The Anti-Terrorism Law
  • The Counter-Espionage Law
  • The Cybersecurity Law
  • The National Intelligence Law

could allow Chinese authorities to access personal data in ways that conflict with EU privacy standards.

As a result, TikTok was unable to guarantee that personal data of EEA users accessed remotely from China would receive protection equivalent to that required by the GDPR. This violated Article 46(1).

TikTok’s internal project (“Project Clover”) is trying to improve things, but the DPC still ordered TikTok to stop the data transfers unless they comply within six months.

[3] What TikTok Did Wrong on Transparency

Under Article 13(1)(f) of the GDPR, companies must tell users:

  • Which countries their data is being sent to
  • What kind of processing is involved

TikTok’s October 2021 Privacy Policy failed on both counts:

  • It didn’t name the countries (like China)
  • It didn’t explain that data was remotely accessed from China

TikTok improved its Privacy Policy in December 2022, making it clearer and compliant with GDPR. But until then, from 29 July 2020 to 1 December 2022, it was not transparent.

Penalties

The DPC fined TikTok €530 million in total:

  • €485 million for unlawful data transfers (Article 46(1))
  • €45 million for lack of transparency (Article 13(1)(f))

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid data discovery of sensitive data and consent management with regional focus for global regulations.