TikTok was hit with a massive €530 million ($600 million) fine by Ireland’s Data Protection Commission (DPC) for violating the EU’s GDPR. The penalty is the third-largest ever under GDPR and reflects increasing pressure from European regulators on Big Tech’s data handling practices.
Why was TikTok fined?
The fine, which includes about $550 million for unlawful data transfers and about $50 million for transparency violations, centres on TikTok’s transfer of EU user data to China without proper safeguards, raising serious concerns over transparency and accountability. The DPC found that TikTok failed to clearly inform users that their data could be accessed by employees in China, a violation of fundamental GDPR principles around cross-border data transfers and lawful processing. The regulator also noted that TikTok had not carried out a proper risk assessment before allowing access from China, a critical oversight given the sensitivity of the data involved.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage, and other laws identified by TikTok as materially diverging from EU standards,” Deputy Commissioner Graham Doyle said.
This is not TikTok’s first brush with GDPR enforcement. In 2023, the DPC fined the company €345 million ($368 million) for failing to protect children’s personal data, including issues around default public settings for underage accounts and inadequate age verification.
What was TikTok’s response and what are the broader implications?
TikTok said they do not agree with the DPC’s findings and plans to appeal, citing reforms under its “Project Clover” initiative aimed at enhancing data security. However, the DPC has indicated that if TikTok does not comply within six months, it may face a suspension of data transfers to China.
GDPR: Still a moving target
Nearly seven years since its introduction, the GDPR continues to evolve. New fines, interpretations, and technological challenges, from AI to international data flows, are reshaping compliance expectations. This landmark penalty is yet another reminder that the GDPR is not just about paperwork and privacy notices, but rather about real-world consequences for failing to protect personal data.
For businesses operating internationally, especially in high-risk sectors like tech and social media, the message from regulators is clear: Data transfers without proper protections will not be tolerated. Whether your company is big or small, GDPR compliance is no longer just a legal requirement; it’s a reputational necessity.
Is your team ready to respond to regulatory scrutiny?
VinciWorks’ GDPR training equips your staff with practical, up-to-date guidance to stay compliant, whether you’re managing cross-border data, handling subject access requests, or integrating AI tools. Our GDPR courses include an in-browser editing tool that lets you customise the courses to reflect your information security challenges and best practices.
Join our live webinar: GDPR—Seven years on
Wednesday, 28 May 2025 at midday UK time
As the GDPR marks its seventh anniversary, it’s evident that data protection remains a dynamic and complex field. The most recent fines show that both large and small businesses are subject to regulators’ scrutiny. Plus, EU data protection law continues to evolve and shape enforcement actions across the world, particularly as more US tech companies push back on fines, and the UK seeks to roll back its GDPR-style laws.
Join us for a live, one-hour webinar on GDPR’s seventh anniversary. In this webinar, we will look at GDPR’s widespread impact, not just in Europe but around the world. As places like Brazil, California and even China race to enact GDPR-like protections, what does the future hold for data privacy?
The one-hour webinar will cover:
- Recent GDPR fines and case studies
- International developments and new GDPR-style laws around the world
- Focus areas for EU data protection authorities
- Where the UK and US stand with data protection and GDPR
- Artificial intelligence and data protection laws
- Best practice guidance to solidify your GDPR compliance
