TikTok is facing a €530 million penalty from the European Union following a years-long investigation into how the platform manages user data. Ireland’s Data Protection Commission (DPC), which oversees the enforcement of data privacy rules for companies headquartered in the country, concluded that the app fell short of European standards when transferring or allowing access to personal data outside the bloc.
The DPC determined that the video-sharing platform, owned by China-based ByteDance, could not sufficiently prove that the data of users in Europe remained protected when accessed remotely by staff in China. Under the EU’s General Data Protection Regulation (GDPR), data can only be moved beyond EU borders if equivalent levels of privacy protection are ensured.
One area of concern was a lack of clarity in TikTok’s earlier privacy disclosures. The company’s previous policies did not explicitly state that personnel in countries such as China, Singapore, or the United States might access European user data. Although TikTok had maintained that no user information was stored in China, the company recently acknowledged that a small amount of data had in fact been located on servers there earlier in the year. That data has since been deleted.
The regulator has given TikTok six months to update its data practices and meet EU standards. If the company does not meet these conditions, further restrictions—including limits on data transfers to China—could follow.
In response, TikTok said it intends to appeal the decision. The company defended its data transfer framework, pointing to its use of legal agreements designed to meet EU requirements, and cited security initiatives such as Project Clover. This program includes building local data centers in Europe and implementing external monitoring by cybersecurity experts.
According to TikTok, the decision focuses on a past period that predates the company’s current safeguards. It also emphasized that it has never received requests from Chinese authorities for European user data and has never shared such information with them.
This isn’t the first time the platform has come under regulatory scrutiny. In 2023, TikTok was fined €345 million over its handling of data tied to minors. The DPC, which serves as the lead regulator for several large tech companies based in Ireland, has also issued penalties to firms like Meta and Microsoft under the GDPR framework.
The watchdog is now reviewing whether TikTok’s recent admission regarding stored data in China requires additional penalties or oversight.
As international rules on data privacy grow more complex, the case adds to the ongoing debate about how global digital platforms operate in regions with stricter consumer protections.
Image is licensed under the Creative Commons Attribution-Share Alike 2.0 Generic license and was created by Solen Feyissa.
