Ireland: Irish Data Protection Commission issued fine of EUR 530 million against TikTok and ordered suspension of data transfers to China in absence of GDPR compliance

On 2 May 2025, the Irish Data Protection Commission (DPC) fined TikTok Technology Limited EUR 530 million for violating the General Data Protection Regulation (GDPR) by unlawfully transferring personal data from the European Economic Area (EEA) to China. The DPC found that TikTok failed to ensure that Chinese law provided a level of data protection essentially equivalent to that required under EU law, as mandated under GDPR. Although TikTok used Standard Contractual Clauses (SCCs) and claimed that data transfers via remote access were not governed by the relevant laws and practices, TikTok’s own legal assessment provided during the inquiry revealed significant differences between Chinese and EU law. These included issues under China’s Anti-Terrorism Law, Counter-Espionage Law, Cybersecurity Law, and National Intelligence Law. The DPC concluded that TikTok neither adequately assessed these risks nor implemented effective supplementary measures, undermining its ability to guarantee lawful data transfers. While the company has since made structural changes under “Project Clover,” the DPC determined that a suspension of the data transfers was necessary and proportionate. TikTok has been ordered to bring its processing operations into compliance with GDPR within six months of the expiry of the appeal period. Separately, the DPC found that TikTok failed to meet its transparency obligations. Its 2021 EEA Privacy Policy did not name the third countries receiving data or explain that personnel in China accessed personal data stored in Singapore and the US. Although TikTok’s updated December 2022 Privacy Policy corrected these issues, the DPC found that the company was non-compliant from 29 July 2020 to 1 December 2022. The EUR 530 million fine includes EUR 45 million for the transparency breach and EUR 485 million for the unlawful transfers.