Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China
02nd May 2025
The Irish Data Protection Commission has today announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data [1] of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.
The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China [2] and its transparency requirements [3]. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.
DPC Deputy Commissioner Graham Doyle commented:
“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.
TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.
Erroneous information submitted to Inquiry
Throughout the Inquiry, TikTok informed the DPC that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.
Deputy Commissioner Doyle added that
“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”
The DPC will publish the full decision and further related information in due course.
[1] The Law on Data Transfers outside the EU
The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.
Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).
To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.
Under the GDPR where an organisation (“Data Controller”) intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.
[2] The DPC’s Findings regarding the lawfulness of the Transfers
In this Inquiry TikTok Ireland was required to assess if Chinese law guaranteed an essentially equivalent level of protection to EU law. The Decision finds that TikTok’s transfers to China infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU. While TikTok maintains that transfers via remote access are not subject to the laws and practices in question, TikTok’s own assessment of Chinese law provided to the DPC during the Inquiry set out how aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law. The DPC had regard to this assessment and to the Chinese laws identified by TikTok which materially diverge from EU standards such as the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law. In particular, the DPC found that TikTok’s failure to adequately assess the level of protection provided by Chinese law and practices to the personal data of EEA users the subject of transfers, which said personal data is processed in China, not only directly impacted TikTok’s ability to select appropriate safeguards and supplementary measures, but also prevented TikTok from verifying and guaranteeing an essentially equivalent level of protection.
In exercising corrective powers, the DPC also considered ongoing changes brought about by TikTok under “Project Clover”. Notwithstanding these changes, the DPC found that it is appropriate, necessary and proportionate to order the suspension of the Data Transfers and to order TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of 6 months from the period allowed for an appeal against the DPC’s final Decision. The DPC considers 6 months to being a reasonable period to provide TikTok to put an end to the transfers in the circumstances.
[3] The DPC’s Findings regarding Transparency
Article 13(1)(f) GDPR requires data controllers to provide data subjects with information on that controller’s transfers of personal data to a third country. The DPC considered TikTok’s October 2021 EEA Privacy Policy and found that this policy was inadequate in two key respects for the purposes of Article 13(1)(f) GDPR.
First, TikTok’s 2021 Privacy Policy did not name the third countries, including China, to which personal data was transferred. Second, the 2021 Privacy Policy did not explain the nature of the processing operations that constitute the transfer. Specifically, the 2021 Privacy Policy failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China.
TikTok updated its Privacy Policy during the course of the Inquiry and provided its December 2022 EEA Privacy Policy to the DPC. That Privacy Policy did identify the third countries to which EEA user data was transferred. That Privacy Policy also informed EEA Users that personal data was stored on servers in the United States and Singapore, and was the subject of remote access by entities in TikTok’s corporate group located in Brazil, China, Malaysia, Philippines, Singapore, and the United States.
The DPC assessed TikTok’s December 2022 EEA Privacy Policy as compliant with the requirements of Article 13(1)(f) GDPR in terms of the Data Transfers subject to the material scope of the Decision. Therefore, the duration of the infringement of Article 13(1)(f) GDPR in the Decision relates to the period from 29 July 2020 to 1 December 2022.
The DPC imposes administrative fines totalling €530 million in this Decision, consisting of a fine of €45 million for its infringement of Article 13(1)(f) GDPR, and a fine of €485 million for its infringement of Article 46(1) GDPR.