TikTok Must Pay €530 Million for Violating Europe’s GDPR

Europe has fined TikTok €530 million over violations of data protection laws.

The Irish Data Protection Commission (DPC) says TikTok’s 2021 Privacy Policy did not identify the third parties with access to its users’ data, under the General Data Protection Regulation (GDPR) – the tentpole legislation on information privacy in the European Union (EU) and the European Economic Area (EEA).

“The 2021 Privacy Policy did not explain the nature of the processing operations that constitute the transfer,” according to the European data protection authority. “Specifically, the 2021 Privacy Policy failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China.”

Failed to guarantee compliance

In a press release by the DPC, Deputy Commissioner Graham Doyle stresses that European data protection laws require high protection, especially when personal data is transferred abroad.

TikTok, the popular short-form video platform, known in China as Douyin, is owned by Chinese internet company ByteDance.

“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Doyle said.

Asked by the where, TikTok initially said it had not stored EEA user data on servers located in China.

“However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry,” according to the Irish watchdog. “TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.”

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” Deputy Commissioner Doyle said.

“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously,” he added. “Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”

During the inquiry, TikTok updated its privacy policy to identify the countries where EEA user data was transferred. That policy informed users that personal data was stored on servers in the United States and Singapore and was subject to remote access by entities in the company’s corporate group in Brazil, China, Malaysia, the Philippines, Singapore, and the United States.

The DPC has issued TikTok an administrative fine totalling €530 million for its violations—€45 million for its infringement of Article 13(1)(f) GDPR and €485 million for its infringement of Article 46(1) GDPR.

Keep tabs on your privacy

In related news, WhatsApp has recently introduced Advanced Chat Privacy, a setting that helps keep content, such as photos and sensitive chats, from spreading outside the popular messaging app.

The Meta-owned messaging service has also unveiled a privacy-first system called Private Processing to support AI features without exposing user messages.

For peace of mind – whether you’re surfing the web, checking your social media feed, or texting your friends – consider running a security solution on your personal devices.