The Ireland-based Data Protection Commissioner (DPC) fined TikTok 530 million euros ($600 million) on May 2, 2025, after concerns arose about the company’s user data protection practices. The regulator also instructed TikTok to suspend all transfers of user data to China unless it aligns its data processing practices with EU regulations within six months.
The DPC raised concerns that TikTok, owned by ByteDance, failed to prove that it adequately protected personal data of its EU users. The regulator specifically highlighted the risk of Chinese authorities accessing this data under national laws related to counter-espionage, laws that do not meet the EU’s data protection standards.
TikTok disagreed with the findings, asserting that it adhered to the EU’s legal framework, including using standard contractual clauses to limit remote access. The company also highlighted new security measures introduced in 2023, which independently monitor access and ensure that EU user data stays in data centers located in Europe and the U.S.
Despite these measures, TikTok clarified that it had never received data requests from Chinese authorities and had never shared any data with them. The company also disclosed that a small portion of EU user data was mistakenly stored in China, but it deleted this data afterward.
TikTok intends to appeal the decision. It argues that this ruling could create a troubling precedent that affects global businesses operating internationally. The company remains confident that its data protection measures align with EU regulations.
The DPC continues to assess the situation following TikTok’s recent disclosure about the accidental storage of EU data in China. The regulator has suggested it may take additional regulatory action as needed.
The DPC has reprimanded TikTok for the second time. In 2023, it fined TikTok 345 million euros for violating privacy laws related to the processing of children’s personal data in the EU.
The powerful Irish privacy regulator, which serves as the lead regulator in the EU for many of the world’s top tech firms because of the location of their regional headquarters in Ireland, has also fined companies like Microsoft’s LinkedIn, X, and Meta since it received sanctioning powers in 2018.
Under the EU’s General Data Protection Regulation (GDPR), that also covers European Economic Area member states Iceland, Liechtenstein and Norway, the lead regulator for any given company can impose fines of up to 4% of its global revenue.
