TikTok fined €530 million by Irish regulator over data transfers to China

Privacy watchdog orders compliance measures following investigation into user data handling.

This striking image portrays data transfers from EU to China under regulatory scrutiny, visualizing TikTok's privacy issues.
This striking image portrays data transfers from EU to China under regulatory scrutiny, visualizing TikTok's privacy issues.

The Irish Data Protection Commission (DPC) has imposed a €530 million fine on TikTok and ordered corrective measures regarding the platform's transfers of European user data to China. The decision, announced on May 2, 2025, comes after an inquiry into TikTok Technology Limited to examine the lawfulness of the company's transfers of personal data of European Economic Area (EEA) users to the People's Republic of China.

PPC Land Newsletter

Get the PPC Land newsletter ✉️ for more like this

Subscribe

The penalty represents one of the largest fines imposed under the General Data Protection Regulation (GDPR) to date and highlights growing regulatory concerns about cross-border data transfers. The decision includes an order requiring TikTok to bring its processing operations into compliance within six months and threatens to suspend the company's transfers to China if processing is not brought into compliance within this timeframe.

DPC Deputy Commissioner Graham Doyle stated that "the GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries."

Law firm CEO’s analysis reveals TikTok’s extensive data collection practices
Recent examination of platform’s terms raises concerns across Europe as regulators intensify scrutiny.

Dual Violations Found

The Irish regulator, which serves as TikTok's lead supervisory authority in Europe, identified two major violations in its decision. First, TikTok was found to have infringed GDPR rules because it "failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU."

According to the DPC, TikTok's failure to conduct necessary assessments meant the company did not address potential access by Chinese authorities to European personal data under various Chinese laws, including anti-terrorism, counter-espionage, and other regulations that TikTok itself had identified as "materially diverging from EU standards."

The DPC's assessment specifically referenced several Chinese legal frameworks that presented concerns, including "the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law." The regulator determined that TikTok's own assessment of Chinese law provided during the inquiry outlined how aspects of the Chinese legal framework precluded a finding of essential equivalence to EU law.

The second violation related to transparency requirements. Article 13 of the GDPR requires data controllers to provide users with information on transfers of personal data to third countries. The DPC determined that TikTok's October 2021 EEA Privacy Policy was inadequate for these purposes.

Specifically, the 2021 policy failed to name the third countries, including China, to which personal data was transferred. It also did not explain that processing included remote access to personal data stored in Singapore and the United States by personnel based in China.

Misleading Information Provided During Investigation

In a concerning development that could potentially lead to additional penalties, TikTok informed the DPC in April 2025 that it had discovered an issue in February 2025 where "limited EEA User Data had in fact been stored on servers in China, contrary to TikTok's evidence to the Inquiry." The company acknowledged that this discovery meant TikTok had provided inaccurate information during the investigation.

Deputy Commissioner Doyle noted that the DPC is "taking these recent developments regarding the storage of EEA User Data on servers in China very seriously" and stated that while TikTok has informed the regulator that the data has been deleted, the authority is "considering what further regulatory action may be warranted, in consultation with peer EU Data Protection Authorities."

Extensive Data Collection Practices Highlighted

This regulatory action comes just days after a detailed examination of TikTok's Terms of Service by Brett Trembly, CEO of GetStaffedUp and founding partner of Trembly Law Firm. Trembly spent five hours reviewing TikTok's terms and shared his findings on X (formerly Twitter) on April 28, 2025, highlighting an array of permissions that many users unknowingly grant when using the app.

According to Trembly's examination of the platform's Terms of Service, last updated in November 2023, TikTok requires permissions that grant extensive access to users' devices and personal information, including address books, clipboard contents, keyboard inputs, and full camera functionality. The platform's terms explicitly state: "By submitting User Content via the Services, you hereby grant us an unconditional irrevocable, non-exclusive, royalty-free, fully transferable, perpetual worldwide licence to use, modify, adapt, reproduce, make derivative works of, publish and/or transmit, and/or distribute and to authorise other users of the Services and other third-parties to view, access, use, download, modify, adapt, reproduce, make derivative works of, publish and/or transmit your User Content in any format and on any platform, either now known or hereinafter invented."

This broad license effectively provides TikTok with extensive rights over all content uploaded to the platform, extending far beyond what many users might reasonably expect from a social media application.

Section 5 of TikTok's Terms of Service outlines numerous restrictions on user behavior, while Section 7 details the company's rights regarding user-generated content. The terms also specify that users grant TikTok "a royalty-free license to use your user name, image, voice, and likeness to identify you as the source of any of your User Content."

Broader Regulatory Context

The Irish DPC's decision represents the latest development in a series of regulatory actions targeting TikTok's data practices. In February 2024, the European Commission opened formal proceedings against TikTok under the Digital Services Act (DSA), focusing on four key concerns: algorithmic systems that may stimulate behavioral addictions or create "rabbit hole effects"; measures to protect minors; the reliability of the platform's searchable repository for advertisements; and researcher access to public data.

At that time, Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, stated: "The safety and well-being of online users in Europe is crucial. TikTok needs to take a close look at the services they offer and carefully consider the risks that they pose to their users - young as well as old."

Commissioner for Internal Market Thierry Breton emphasized that "the protection of minors is a top enforcement priority for the DSA. As a platform that reaches millions of children and teenagers, TikTok must fully comply with the DSA and has a particular role to play in the protection of minors online."

Technical Implementation and Response

TikTok has responded to increasing regulatory pressure with several initiatives aimed at improving transparency and safety. In February 2025, the company published its fourth transparency report under the Digital Services Act, covering the period from July to December 2024.

According to this report, TikTok "proactively removed approximately 18 million pieces of violative content" during this six-month period, with an automated moderation accuracy rate of 99.1%. The report also introduced new metrics on illegal content reports from Trusted Flaggers and out-of-court disputes over content moderation decisions.

In April 2025, TikTok announced updates to strengthen its approach to platform integrity during the Romanian elections, where the platform had previously faced scrutiny. "As we approach the next round of elections in Romania, today we're announcing updates that strengthen our ongoing work to protect our platform and connect our community to reliable election information," the company stated in a newsroom post.

TikTok also published its fifth transparency report under the EU Code of Practice on Disinformation (COPD) in March 2025, detailing measures taken to combat misinformation, including an expanded fact-checking program covering 23 European languages.

The company has also implemented technical changes to address European concerns. The DPC's decision acknowledged ongoing changes brought about by TikTok under "Project Clover." However, the regulator determined that these changes were insufficient, concluding that "it is appropriate, necessary and proportionate to order the suspension of the Data Transfers and to order TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of 6 months."

Implications for the Digital Marketing Landscape

For marketing professionals utilizing TikTok as part of their digital strategy, the findings create significant compliance challenges. Companies investing in TikTok advertising or content creation must now evaluate whether their participation exposes their own corporate data or raises privacy concerns for their audience.

The combination of regulatory findings about data transfers and the extensive nature of TikTok's terms of service raises questions about appropriate data collection standards across social media platforms. Marketers must now balance the platform's reach and engagement capabilities against emerging compliance requirements and brand safety considerations.

Some social media users responding to Trembly's analysis noted that TikTok's data collection practices, while extensive, may not differ significantly from those of other major platforms. One user, identified as SEOforDeplorables, commented: "If you're terrified by that, try reading Google's ToS for every one of its products, including 'private' services like Gmail and Google Docs."

Another user, Michael Sanchez, challenged: "Cool. Now do the same for X, Facebook, Instagram. As their TOS's are 3x longer. We look forward to your objective comparison that we all know won't be coming."

These responses highlight a broader debate about data collection practices across major technology platforms, with some suggesting that TikTok's policies, while concerning, may not be significantly different from those of other popular services.

Privacy Controls and User Options

For users concerned about content recommendations, TikTok has implemented features to provide greater control. According to its Code of Practice on Disinformation report from the second half of 2024, users can filter specific words or hashtags from their For You feed and select "not interested" on content they don't wish to see more of.

The platform also offers a "For You refresh" option that enables users to discover entirely new content if they feel their recommendations have become too similar or irrelevant. Additionally, European users can turn off personalization entirely to see non-personalized content in their feeds.

For researchers, TikTok provides access to platform data through its Research API, Virtual Compute Environment (VCE), Commercial Content API, and Commercial Content Library. During the second half of 2024, TikTok received 148 applications from researchers in the EU and EEA to access these research tools.

A Shifting Regulatory Landscape

As digital privacy concerns continue to shape the technology landscape, platforms like TikTok find themselves navigating increasingly complex regulatory environments. The European Union's Digital Services Act, which fully came into effect in February 2024, represents one of the most comprehensive attempts to regulate online platforms and their data practices.

The Irish DPC's decision to fine TikTok €530 million represents just one component of a broader regulatory push. The penalty structure includes a fine of €45 million for TikTok's infringement of Article 13(1)(f) GDPR related to transparency requirements, and a substantially larger fine of €485 million for its infringement of Article 46(1) GDPR regarding the lawfulness of data transfers.

Growing public awareness of data collection practices may lead to increased scrutiny of platform choices by both consumers and brands. Marketing strategies will need to account for potential backlash against platforms perceived as compromising user privacy, while also addressing the technical requirements of effective digital engagement.

For TikTok users, these findings serve as a reminder of the importance of reviewing and understanding the permissions granted to apps. While the platform offers entertainment and creative opportunities for its 159 million European users, these benefits come with trade-offs in terms of data sharing and privacy.

Timeline

  • November 2023: TikTok updates its Terms of Service with extensive data collection provisions
  • February 2024: European Commission opens formal proceedings against TikTok under the Digital Services Act
  • February 21, 2025: The DPC submitted a draft decision to the GDPR cooperation mechanism
  • February 2025: TikTok discovers that limited EEA User Data had been stored on servers in China, contrary to previous statements
  • March 2025: TikTok publishes fifth transparency report under EU Code of Practice on Disinformation
  • April 28, 2025: Brett Trembly, law firm CEO, posts detailed analysis of TikTok's Terms of Service after spending five hours reviewing the document
  • April 2025: TikTok announces updates to strengthen platform integrity during Romanian elections and informs the DPC about the incorrect information provided during the inquiry
  • May 2, 2025: The Irish Data Protection Commission announces its final decision following the inquiry into TikTok, as ongoing debate continues about appropriate data collection standards across social media platforms