EU regulator fines China-based video app TikTok 530 million euros over data protection

"This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data of users of the TikTok platform in the EEA to the People’s Republic of China (“China”)," the statement issued by the DPC said.

In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the General Data Protection Regulation (GDPR).

"The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China and its transparency requirement," the statement said.

"The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months," the statement said.

DPC said the decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.

DPC Deputy Commissioner Graham Doyle said: "The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries."

Doyle said, "TikTok’s personal data transfers to China infringed the GDPR because the video app failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

"As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards," Doyle said.

"The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR.

"No objections to the DPC’s draft decision were raised," the statement said.