TikTok logo on smartphone showing data transfers of EU data

TikTok to Receive €530 Million Fine Over EU Data Storage, Data Transfers to China

A case of what TikTok says was the mistaken storage of EU data on a server in China appears to be concluding with a €530 million fine for the video giant, under charges of violating Article 46(1) of the General Data Protection Regulation and its requirement to “verify, guarantee and demonstrate” that its data transfers were kept adequately secure.

The amount equates to about $600 million and is the second such substantial fine for TikTok relating to GDPR violations. TikTok had claimed that standard contractual clauses (SCCs) legally covered it regardless of the errant transfer, and says that it plans to appeal the decision.

Data transfers found to “materially diverge” from anti-terrorism law, counter-espionage law

The decision was handed down by the Irish Data Protection Commission (DPC), which served as lead regulator due to TikTok’s EU headquarters being kept in Dublin. The cited GDPR infringements were not just for the transfer of EU data to China, but also failure to meet GDPR transparency requirements. In addition to the fine, TikTok is required to bring its operations to compliance within six months.

The GDPR’s rules governing data transfers, solidified by the Schrems II court decision of 2020, requires assurances that EU data retain equivalent protections when it travels out of the EEA borders. This generally requires that destination countries have an adequacy agreement in place with the EU, something not possible with China given its national security policy of allowing the government access to anything stored on servers within the country at any time.

The present decision is the result of a general inquiry into the company that began in 2021, and has had two main branches. The first of these, an investigation into TikTok’s handling of children’s personal data and the use of “dark patterns” for consent collection in 2020, was resolved in 2023 with a similarly large fine (€345 million). The present branch saw a draft decision presented to TikTok in February 2025, but in April the company voluntarily notified regulators that it had discovered some EU data had inadvertently been transferred to and stored in China.

Cases against transfer of EU data to China continue, but major companies remain unregulated

Adequacy decisions require relative parity with the protections offered by the GDPR and other EU-spanning laws, making them relatively rare; only 15 have been issued to date, and even the geopolitically friendly USA struggled for years to receive one given government policies creating the possibility of warrantless interception of overseas data that crosses into the country.

That virtually ensures China cannot and will not receive one, a tough position for budget-minded but popular apps that have a huge overseas market like Temu and Shein. Regulators have thus far been somewhat slow to pursue these apps, however, and in some cases there appears to be no hope of compliance with EU data regulations. When AI phenomenon DeepSeek emerged earlier this year and was subsequently warned about its overseas data transfers, the company essentially told regulators it had no intention of complying or cooperating.

TikTok is challenging the case by pointing to SCCs that it says ensures its data transfers are encrypted and not accessed outside the organization, and its ongoing “Project Clover” project that seeks to entirely divest the companies Chinese operations from the rest of the world and create data centers in places like Finland to ensure regional compliance. TikTok had already moved EU data to servers in the US and Singapore as of 2022, but its privacy policy from near the end of that year indicates that employees in China and other countries without adequacy decisions might still be able to access it remotely. The Irish DPC’s decision indicates the primary period of infringement runs from July 2020 to December 2022.

TikTok is also arguing that it is being “singled out” with the fine for data transfers, something that perhaps holds more weight when one considers the actions to date against popular China-based retail apps. Temu and Shein have only recently started facing regulation, but to date it has been for the safety and security of their products rather than handling of EU data. noyb has filed complaints against numerous of these apps for their data practices, but there has been little movement on this particular issue as of yet. In the meantime, TikTok has spent some €12 billion on Project Clover since 2023.

Despite TikTok’s massive investments in data security and compliance in both the EU and US, slip-ups like this keep hurting its efforts to build trust. The company appeared to be on track to reach a deal with the Biden administration to allow Oracle to oversee its US-facing servers (designed to remove the need for foreign data transfers) before inside whistleblower reports documented Chinese engineers retaining remote access to US data. The app has since been in jeopardy in the country, but remains available as it has been able to convince the Trump administration that it is making necessary strides toward divesting from Chinese ownership.