TikTok has been fined €530 million ($601.3 million) by Ireland’s Data Protection Commission (DPC) for violating EU data protection laws by transferring user data to China.
The DPC found that TikTok had breached the EU’s General Data Protection Regulation (GDPR) by failing to ensure that European user data accessed from China was adequately protected.
TikTok was ordered to bring its data processing practices into compliance within six months or face a suspension of data transfers to China.
The regulator criticized TikTok for failing to assess the risks of Chinese laws that may allow government access to personal data, such as anti-terrorism and counter-espionage laws.
TikTok was also found to have provided inaccurate information during the investigation, claiming it had not stored EU user data in China—only to later admit that some data had been stored there.
The DPC is considering additional regulatory action in consultation with other EU privacy authorities.
TikTok has disagreed with the ruling and plans to appeal, arguing that the decision does not reflect recent security improvements under its €12 billion Project Clover initiative.
The company maintains it has never received or complied with any request from Chinese authorities for access to European user data.
Nonetheless, TikTok has acknowledged that staff in China and other countries can access user data for operational purposes, raising concerns among Western regulators.
Under Chinese law, companies may be required to share data with the government for intelligence purposes, which has fueled fears over potential misuse of user information.
