TikTok fails on privacy: €530 million fine for data transfers to China
In May 2025, TikTok received a record fine of no less than €530 million from the Irish Data Protection Commission (DPC). The reason for this was that the platform violated the European GDPR regulations on two fronts. It failed to adequately protect European user data from access from China, and users were insufficiently informed about this.
How did this happen?
The issue lay in the way TikTok processed the personal data of European users. For years, employees in China had remote access to sensitive data of EU users, such as names, phone numbers, location data, and platform behavior. Under the GDPR, this is only permitted if the data in the receiving country enjoys a level of protection equivalent to that within the EU.
However, TikTok could not guarantee such protection. According to the DPC, the contractual clauses used were insufficient, particularly in light of Chinese laws on national intelligence and cybersecurity, which conflict with European privacy principles.
The sanction
The sanction consists of a substantial fine of €530 million, divided into two parts:
- €485 million for violating the rules on international data transfers (Article 46 GDPR)
- €45 million for lack of transparency toward users (Article 13 GDPR)
Legal consequences
TikTok emphasizes that it has since taken measures to better safeguard the privacy of European users. Since 2023, the company has invested in Project Clover, an initiative to store the personal data of EU users exclusively on European servers, under strict local control. However, the Irish supervisory authority ruled that this project came too late to justify or remedy the earlier violations. TikTok has since lodged an appeal against the decision. The company denies ever having transferred data to the Chinese government and states that it has never received any request of that nature.
What can we learn from this?
– International data transfers require more than legal formalities. Concrete safeguards are essential, especially when data is transferred to countries with different legal frameworks.
– Transparency is crucial. Users have the right to clear information about who has access to their data and from which country.
– Trust is fragile. Even if data is not actively misused, a lack of control or communication can cause significant reputational damage.
– Privacy by design is essential. Acting proactively is better than trying to fix issues afterward. Security measures must be built in from the start, not added later in response to a crisis.
How NormNest can help
Would you like more information or expert advice? Schedule a no-obligation appointment with one of our team members.