TikTok is facing a hefty 530 million euro fine from Ireland’s Data Protection Commission (DPC), the EU’s top privacy regulator. The penalty stems from the company’s failure to comply with the General Data Protection Regulation (GDPR) when transferring European users’ personal data to China.
The DPC’s investigation found that TikTok workers in China accessed European user data remotely without proper safeguards. Initially, TikTok denied storing or processing European users’ personal data in China. However, in February 2025, the company admitted that some data was processed on Chinese servers but claimed it was later deleted.
History of Privacy Concerns
This isn’t TikTok’s first brush with EU privacy regulators. In September 2023, the DPC fined the platform 345 million euros for failing to protect the personal data of children aged 13-17. The investigation revealed that the accounts of these users were public by default, and the “family pairing” feature allowed unverified adults to connect with minors through direct messages, posing a significant privacy risk.
In response to regulatory concerns, TikTok launched Project Clover, an initiative aimed at strengthening the protection and privacy of European users’ information. As part of this project, the company has started building three data centers in Europe – two in Ireland and one in Norway. The first center in Dublin is already operational and has begun transferring European user data. TikTok has also partnered with European cybersecurity firm NCC Group to independently monitor and audit its data controls and protections.
TikTok’s Next Steps
Despite these efforts, the DPC has given TikTok six months to comply with EU data protection regulations. If the company fails to do so, the regulator has warned that it will order a halt to all data transfers to China. TikTok has announced plans to appeal the decision, arguing that it has been working to implement data protection measures since 2023, including independent oversight of remote access and data storage in European and US data centers.
The case highlights growing concerns among European authorities about the protection of personal information and transparency in international data transfers, particularly to countries with different privacy regulations than the EU.