TikTok has been hit with a record-breaking €530 million ($602 million) fine by European regulators for illegally transferring the personal data of European users to China, raising serious concerns over data privacy and surveillance risks linked to the Chinese government.
The Irish Data Protection Commission (DPC), the lead privacy watchdog for the EU under the General Data Protection Regulation (GDPR), issued the fine after a multi-year investigation into TikTok’s data handling practices. According to the DPC, ByteDance, TikTok’s parent company, failed to ensure that user data was protected against access by Chinese authorities.
This penalty marks the third-largest GDPR fine in history, following similar high-profile cases involving tech giants.
TikTok Under Fire for Lack of Transparency and Data Security
Between 2020 and 2022, TikTok reportedly transferred data from users across the European Economic Area (EEA) to servers in China, without properly informing users or securing the data to GDPR standards. The platform initially denied storing EU data in China, but later admitted in February that a “limited amount” of EEA user data had indeed been stored on Chinese servers.
The DPC imposed two major penalties:
- €485 million for the unlawful data transfers to China.
- €45 million for lack of transparency regarding these practices.
In addition to the financial penalty, TikTok has been ordered to cease all illegal data transfers within six months.
DPC: Data Exposed to Chinese Surveillance Risk
DPC Deputy Commissioner Graham Doyle stated that TikTok “did not verify or guarantee that EU data accessed in China was protected to EU-equivalent standards.” This failure left the data potentially vulnerable under Chinese laws on anti-terrorism and counter-espionage, which differ sharply from European privacy protections.
Although TikTok has claimed that the data in question has since been deleted, the DPC said it is evaluating further regulatory action in coordination with other EU data protection authorities.
TikTok Responds: Defends Project Clover, Plans Full Appeal
TikTok strongly disagrees with the decision and announced plans to appeal the ruling in full. The company argues that Chinese authorities have never requested EU user data, nor has TikTok ever handed such information over.
Moreover, TikTok pointed to its ongoing Project Clover—an initiative launched in 2023 aimed at enhancing privacy through local European data centers and stricter controls. The company claims the DPC ruling is based on practices that predate Clover’s implementation and “does not reflect the current data protection safeguards in place.”
Nonetheless, the DPC clarified that it had “considered ongoing changes” in its ruling.
Ongoing Scrutiny: TikTok Faces More Regulatory Challenges in the EU
This latest penalty follows a $368 million fine in 2023, when the DPC determined TikTok failed to adequately protect the privacy of teenage users aged 13 to 17.
TikTok is also under active investigation by EU authorities for a variety of concerns, including:
- Inadequate safeguards against foreign election interference
- Potential harm from addictive algorithms
- Weak age verification processes
- Launching TikTok Lite in France and Spain without a proper risk assessment
 fine by European regulators for illegally transferring the personal data of European users to China){kind=link}