The Irish Knowledge Safety Fee (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the non-public information of customers within the European Financial Space (EEA) to China, violating the European Union’s GDPR information safety rules.
The executive fines imposed by the Irish watchdog encompass a effective of €485 million for its infringement of Article 46(1) GDPR relating to the lawfulness of the information transfers to China and a effective of €45 million for its infringement of Article 13(1)(f) relating to the shortage of transparency.
TikTok was additionally ordered to convey its information processing into compliance inside six months, with the DPC planning to droop all information transfers to China if the corporate fails to replace its insurance policies in time.
DPC officers identified that the problem goes past the situation of the servers and can also be concerning the danger that Chinese language authorities may entry the information of European customers underneath home legal guidelines regarding terrorism and espionage, which contravene EU requirements.
“TikTok’s private information transfers to China infringed the GDPR as a result of TikTok did not confirm, assure and show that the non-public information of EEA customers, remotely accessed by employees in China, was afforded a stage of safety basically equal to that assured throughout the EU,” stated DPC Deputy Commissioner Graham Doyle.
“On account of TikTok’s failure to undertake the required assessments, TikTok didn’t handle potential entry by Chinese language authorities to EEA private information underneath Chinese language anti-terrorism, counter-espionage and different legal guidelines recognized by TikTok as materially diverging from EU requirements.”
The DPC added that TikTok claimed throughout the investigation that it didn’t retailer customers’ information from the European Financial Space (EEA) on servers positioned in China.
Nevertheless, in April 2025, TikTok revealed that it had found in February 2025 that some EEA person information had been saved on servers in China, contradicting the corporate’s earlier statements.
“The DPC is taking these latest developments relating to the storage of EEA Consumer Knowledge on servers in China very severely,” Doyle stated in a Friday assertion. “While TikTok has knowledgeable the DPC that the information has now been deleted, we’re contemplating what additional regulatory motion could also be warranted, in session with our peer EU Knowledge Safety Authorities.”
TikTok to enchantment DPC’s resolution
Nevertheless, Christine Grahn, TikTok’s Head of Public Coverage & Authorities Relations for Europe, stated the corporate disagrees with the DPC’s resolution and that it is planning to enchantment it as a result of it fails to think about TikTok’s new Challenge Clover information safety initiative.
“Below Challenge Clover, TikTok has applied superior privacy-enhancing applied sciences (PETs), corresponding to encryption-on-access and differential privateness, to make sure that non-restricted information is de-identified earlier than it may be accessed by workers in China,” Grahn stated. “Crucially, unbiased cybersecurity consultants at NCC Group have verified that these safeguards are working as supposed.”
That is the third-largest effective imposed by the Irish information safety authority to this point, after sanctioning Amazon with 746 million euros for its focused behavioral promoting practices and Fb with 1.2 billion euros for transferring information of EU-based customers to america.
Beforehand, TikTok was slapped with a €345 million ($368 million) effective by the DPC for violating the privateness of kids whereas processing their information and using “darkish patterns” throughout the registration course of and whereas posting movies, nudging customers towards deciding on choices that compromised their privateness.
In January 2023, TikTok was additionally fined €5 million ($5.4 million) by France’s information safety authority (CNIL) for failing to adequately inform customers about its cookie utilization and making it difficult to opt-out.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend in opposition to them.
