The Irish Data Protection Commission (DPC) has imposed a €530m fine on TikTok Technology Limited (TikTok) for the unlawful transfer of European Economic Area (EEA) users’ personal data to China - marking one of the largest penalties issued under the EU’s General Data Protection Regulation (GDPR).
Under GDPR, personal data transferred outside the EEA must be protected to a level equivalent to that within the EU. The DPC, acting as TikTok’s lead EU regulator, found that the company failed to meet this standard during a multi-year investigation.
Inadequate safeguards for data transfers
TikTok failed to "verify, guarantee and demonstrate" that its use of Standard Contractual Clauses (SCCs) and supplementary measures provided adequate protection for personal data transferred via remote access from the EEA to China.
SCCs are a key legal mechanism under EU data protection law, consisting of standardised contractual terms approved by the European Commission. They are designed to ensure that personal data transferred to countries without an EU "adequacy decision" (i.e., countries not officially recognised as providing sufficient data protection) still receives a high level of protection.
However, the Schrems II ruling by the Court of Justice of the EU clarified that SCCs alone are not enough when data is transferred to countries with intrusive surveillance laws, such as China. In such cases, companies must implement additional "supplementary measures" to reinforce data protection. These can include technical safeguards like encryption, organisational controls like strict access policies, or contractual commitments to resist unlawful data access.
In TikTok’s case, the company failed to assess whether Chinese laws, including the Anti-Terrorism and Cybersecurity Laws, would undermine these safeguards. As a result, TikTok was unable to demonstrate that its SCCs and supplementary measures ensured a level of data protection for EEA users that is "essentially equivalent" to that guaranteed under EU law, leading to a finding of non-compliance.
Transparency failures
In addition, TikTok’s October 2021 EEA Privacy Policy did not identify the third countries to which data was transferred, nor did it explain the nature of the processing—specifically, that personnel in China had remote access to data stored in Singapore. The U.S. TikTok later updated its policy in December 2022 to address these issues.
Sanctions and compliance orders
Beyond the €530m fine, TikTok has been ordered to bring its data processing practices into compliance within six months or face a suspension of data transfers to China. The company has indicated it will appeal the decision, citing recent data localisation efforts under "Project Clover", which includes building EU-based data centres and implementing independent oversight.
This decision reinforces the EU’s commitment to data sovereignty and the protection of personal data from foreign surveillance risks.
Beverley Flynn
Millie Wakefield