In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China).
The investigation was concluded on May 2, 2025 with the decision of the DPC to impose a fine of 530 million euros on TikTok and the warning to bring the processing operations in GDPR compliance within six months, failing this, the suspension of the transfers would apply. The draft decision under Art. 60 GDPR cooperation mechanism was already issued by the DPC in February 2025 and encountered no opposition by the other EU supervisory authorities.
The fine relates to identified GDPR violations concerning the unlawful transfer of users’ personal data to China, as well as a lack of transparency towards individuals—including minors—by the social media platform.
The imposed DPC fine of 530 million euros, includes a fine of 45 million euros for the infringement of Article 13 para. 1 lit. f GDPR (transparency obligations), and a fine of 485 million euros for the violation of Article 46 para. 1 GDPR (transfers of EU personal data to recipients outside of the EU).
Breaches regarding the data transfers to China
The identification of the breach regarding data transfers derived from TikTok’s failure to make sure that the personal data accessed by TikTok staff in China were covered by a level of protection essentially equivalent to that guaranteed within the EU.
According to the DPC, TikTok committed two infringements:
- First, the submission of erroneous information: during the investigations, TikTok asserted that no EEA user data were stored on servers in China. However, in April 2025, the information was changed, following findings of February 2025 identifying that limited EEA user data had in fact been stored on servers in China.
- Secondly, the failure to undertake the necessary assessments to verify potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.
What are the legal requirements?
In addition to the requirement to use appropriate safeguards—such as the Standard Contractual Clauses (SCCs) approved by the European Commission—for transferring personal data from the EU to a country outside the European Economic Area (EEA), there is also an obligation to verify, ensure, and demonstrate that the laws and practices of the destination country provide a level of data protection essentially equivalent to that of the EU.
This Transfer Impact Assessment (TIA) is a responsibility of the data exporters – supported by data importers. The exporter must assess different elements, including the legal background of the recipient country and national laws allowing public authorities to access personal data “imported” from the EU, to finally evaluate the risks that the transfer to the third country would entail for the concerned data subjects. If the risk is high, further security measures must be implemented or, failing this possibility, the data transfer must be terminated.
According to the Irish DPC, TikTok failed the assessment because the company argued that remote data access from China is not subject to Chinese law, but its own analysis—submitted to the Irish DPC—showed that Chinese laws differ significantly from EU standards. The DPC found that TikTok failed to properly assess how Chinese law protects EEA users‘ data, which meant it couldn’t choose proper safeguards or ensure an equivalent level of data protection.
Despite TikTok’s efforts to invest over 12 billion euros in data security through ‘Project Clover’, the Irish DPC still deemed it necessary to order the suspension of data transfers. TikTok was also instructed to bring its data processing activities into compliance within six months, starting from the end of the appeal period against the DPC’s final decision.
Breaches of transparency obligations
In 2021, the Irish DPC found that TikTok’s privacy notice did not meet the legal requirements for providing information about personal data transfers—specifically, it failed to clearly identify the destination countries (including China) and to explain the nature of the transfers, such as the fact that staff in China could access user data remotely. In 2022, TikTok updated the privacy information notice, that was finally considered as acceptable by the Irish DPC, hence restricting the timeframe of the infringement to 2020-2022.
Lessons learned
The case at hand teaches that it is critical that data controllers comply with their duties and responsibilities under the GDPR on information obligations and data transfers. A clear and comprehensive privacy notice is a key tool for demonstrating that the controller complies with the principles and obligations of the GDPR when processing personal data. It also helps build trust by giving data subjects the opportunity to understand how their data is being processed and for what purposes.
In relation to the data transfer compliance, this case demonstrates that the topic is still on the radar of the data protection authorities, especially due to the development of new technologies. It also stresses the responsibility (and accountability duties) of the organizations that intend to transfer personal data outside the EU/ EEA to a third country where no Adequacy Decision from the EU is granted. Companies have the obligation to make sure that such transfers can only subsist if other applicable provisions of the GDPR (Chapter V) are met, and all appropriate assessments are performed with the purpose to verify that the law and practices of the destination country guarantee a level of protection essentially equivalent to that within EU.