Last Updated: 2025-05-02 ~ DPDP Consultants
TikTok Fined €530 Million for Illegally Transferring EU User Data to China
TikTok has been hit with a €530 million penalty by Ireland’s Data Protection Commission (DPC) for unlawfully transferring personal data of European users to China and failing to provide adequate transparency regarding its data practices.
The DPC, which oversees enforcement of the EU’s General Data Protection Regulation (GDPR) for companies headquartered in Ireland, found that TikTok violated multiple provisions of the regulation. The company was fined €485 million for the unauthorized data transfers and €45 million for failing to adequately disclose these practices in its privacy policies between 2020 and 2022.
The core of the issue lies in TikTok’s failure to assess and mitigate the implications of China’s surveillance laws, which grant the government broad access to corporate data—standards that diverge significantly from those mandated under EU privacy frameworks. Although TikTok has claimed in the past that it does not store European user data in China, the company disclosed earlier this year that a portion of limited European Economic Area (EEA) user data had indeed been stored in Chinese servers. The DPC expressed serious concerns about this revelation and is considering additional regulatory actions.
While TikTok has since updated its privacy policy and launched Project Clover, a €12 billion initiative to build local data centers in Europe, the regulator concluded that these measures did not absolve the company of past violations.
TikTok has strongly disputed the findings and announced plans to appeal the decision. The company argued that it has implemented extensive safeguards and relies on legal data transfer mechanisms used widely by other multinational companies. It also emphasized that it has never received or responded to a request for European user data from Chinese authorities.
Nonetheless, the DPC has ordered TikTok to bring its data processing operations fully in line with GDPR within six months—or face the suspension of all data transfers to China.
Implications for Indian Businesses Under the DPDP Act
This case serves as a powerful reminder for Indian organizations preparing for compliance with the Digital Personal Data Protection (DPDP) Act, 2023. Like the GDPR, the DPDP Act places a strong emphasis on data sovereignty, purpose limitation, user consent, and cross-border data transfers. It requires companies to conduct risk assessments, maintain transparency, and implement technical and organizational safeguards when processing personal data—particularly when it involves international data flows.
The TikTok ruling underlines the importance of proactive compliance, clear disclosures, and accountability in data processing practices. As enforcement ramps up globally, Indian companies must ensure they are not only compliant domestically but are also prepared to handle scrutiny under international data protection regimes.
Similar Read
