TikTok Fined $600 Million for Breaking EU Privacy Rules with China Data Transfers

TikTok, the popular video sharing app, has been hit with a €530 million fine (about $600 million) by a European Union privacy watchdog. After a long investigation, the watchdog found that TikTok's data transfers to China could put users at risk of spying, breaking the strict EU data privacy rules.

Why TikTok Was Fined Over User Data Transfers to China

The investigation was led by Ireland’s Data Protection Commission (DPC), which is TikTok’s main privacy regulator in the EU because TikTok’s European base is in Dublin. The DPC said TikTok failed to protect European user data when it was being accessed by staff in China. The app also wasn’t clear with users about where their personal data was being sent.

Deputy Commissioner Graham Doyle said that TikTok could not prove that the data being accessed outside the EU was protected to the same standard as inside the EU. That is a must under the EU's General Data Protection Regulation (GDPR).

TikTok disagreed with the fine and announced plans to appeal. The company said the decision only looked at a limited time period ending in May 2023. Since then, TikTok started a new data protection program called Project Clover, which includes building three data centers in Europe to better protect user data.

TikTok’s European public policy head, Christine Grahn, said that Project Clover uses strong security systems and is watched by NCC Group, a trusted European cybersecurity company. She believes the decision did not fully consider these safety steps.

TikTok Faces More Pressure Over How It Handles EU User Data

This is not the first time TikTok has been fined in Europe. In 2023, the company was also fined millions of euros in a separate case about child privacy. European officials have long been worried that TikTok’s parent company ByteDance, based in China, might be forced by Chinese laws to share data with the government.

The DPC said it found no proof that user data was shared with Chinese authorities, but TikTok failed to properly check the risks under Chinese laws. These laws, like those on anti-terrorism and cybersecurity, are very different from European rules.

TikTok said it has never shared European data with China’s government and has never received a request to do so.

The DPC said that when the investigation started in September 2021, TikTok’s privacy policy was unclear. It did not mention which countries the user data was sent to, including China, Singapore, and the United States. The policy has now been updated, but the issue was serious.

In April 2025, TikTok finally told the regulator that some European data had been stored on Chinese servers, even though earlier it said it wasn’t. This late update raised more concerns.

The Irish regulator said it is still looking into TikTok’s actions and may take more steps. Doyle stated they are treating the situation seriously and might take further action if needed.

This large TikTok fine over EU privacy breach is another reminder that tech companies must be clear and careful with user data, especially when it crosses borders. As data privacy rules in the EU remain strict, companies like TikTok will continue to face tough questions about how they manage personal information.