530 Million EUR Fine for TikTok

The Case:

On May 2, 2025, the Irish Data Protection Commission (DPC) found that TikTok violated core provisions of the GDPR by processing personal data of EEA users via remote access from China—without ensuring a level of protection equivalent to the EU standard. The DPC concluded that TikTok neither sufficiently demonstrated nor guaranteed that Chinese laws provide protections comparable to those required by the EU, especially considering China’s national laws (e.g., “Anti-Terrorism Law,” “Counter-Espionage Law”) significantly differ from EU regulations.

The DPC also criticized TikTok for failing to meet its information obligations under Article 13 GDPR. In its October 2021 Privacy Notice, TikTok did not name the third countries to which data was transferred and failed to clearly state that data was being accessed remotely from China. These details were only added in the revised version from December 2022, which now meets transparency standards.

The Outcome:

Due to these violations, the DPC imposed a total fine of 530 million EUR:

• 485 million EUR for unlawful data transfers (Art. 46 GDPR)
• 45 million EUR for lack of transparency (Art. 13(1)(f) GDPR)

Additionally, TikTok was ordered to adjust all data transfers to China within six months to comply with Chapter V of the GDPR, or to suspend them.

Implications for Companies:

This ruling sends a clear message: any data export to non-EU countries—especially via remote access—must guarantee a protection level not below the EU standard. Companies must also ensure complete transparency toward data subjects to guarantee effective control and legal protection.

Conclusion:

TikTok’s violations of GDPR rules on transparency and third-country data transfers have led to a 530 million EUR fine and strict corrective orders—a wake-up call for all providers to ensure data exports and privacy notices are fully EU-compliant.

FAQ – Why Are Data Transfers to China Problematic?

Data transfers to China are especially sensitive due to several legal and practical issues:

1. No Adequacy Decision:
   China does not have an “adequacy decision” from the European Commission. Under Article 45 GDPR, personal data can only be transferred to a non-EU country if it ensures a level of protection essentially equivalent to the EU. In the absence of such a decision, companies must rely on safeguards like Binding Corporate Rules or Standard Contractual Clauses. If those are missing or poorly implemented, it constitutes a violation of Article 46 GDPR.
2. Government Access Under Chinese Law:
   Chinese law allows government agencies broad access to data from companies operating in China. The National Intelligence Law (in force since 2017) requires companies to cooperate with state security services and hand over information—even if it concerns EU citizens. In contrast to the EU, China lacks independent courts or supervisory authorities to offer effective legal remedies to affected individuals.