The Irish Data Protection Commission (DPC) decided that the company violated the European Union General Data Protection Regulation (GDPR) as a result of a comprehensive investigation into the video sharing platform Tiktok. The Commission has found that Tiktok did not fulfill transparency and security obligations in transferring data of its users to China for the European Economic Area (AEA) users. In this context, a total of 530 million euros was fined the company. The decision was announced to the public in April 2025.
485 million euros of the penalty was given due to the lack of adequate protection in the transfer of AEA data to China. The remaining 45 million euros was related to the fact that user information obligations were not fulfilled. It was emphasized that Tiktok did not behave clearly enough in data processing processes and was incomplete to inform users. Accordingly, the company violated the Articles 46 (1) and 13 (1) of GDPR.
In a statement made by the Commission, Tiktok’s AEA user data provides remote access to personnel in China, but this access did not control whether the data safety standards in Europe. DPC officials said that legal regulations on the fight against terrorism and espionage in China pose a serious risk for the security of personal data. This indicates that the data sent from Europe is not sufficiently protected. For this reason, Tiktok’s current practices clearly contradict EU regulations.
Tiktok’s claim that he kept in China contradicted the company’s old declarations
During the investigation, Tiktok claimed that the AEA user data were not stored in China. However, as a result of an internal examination in February, it turned out that the data of a limited number of European users was found on servers in China. This determination questioned the accuracy of the company’s previous information. Although the relevant data was reported later, this caused the DPC to evaluate additional sanctions.
Tiktok announced that he would object to the decision. Christine Grahn, President of the European Public Policies and Government Relations, said the decision did not take into account the data security program “Project Clover. Within the scope of this project, which was initiated in 2023, Tiktok aimed to increase the security of user data by establishing local data centers in Europe. According to Grahn, the penalty is based on the past practices and does not reflect the current security infrastructure.
In any case, Tiktok’s “Project Clover” attempt was not enough to prevent this punishment. The Commission considers not only infrastructure projects but also its impact on implementation in its evaluations. From this point of view, it is seen that the decision taken raises new questions about the effectiveness of the current security policies. It is also possible for other technology companies operating in the EU under the examination of similar applications.
The DPC’s decision does not only impose a fine to Tiktok. At the same time, the company is required to make data processing activities compatible with GDP within six months. Otherwise, it may be to the agenda to completely stop the transfer of data from Europe to China. This may directly affect the company’s operations in Europe.
Tiktok had previously been on the agenda due to similar violations. In 2023, the child was sentenced to 345 million euros on the grounds that he did not adequately protect the privacy of users. This final decision is to be the highest punishment given to Tiktok in Europe. On the other hand, this shows that data protection authorities further tighten their audits on technology companies.
In addition, other investigations of the European Commission under the Digital Markets Law (DMA) are continuing. In particular, data management applications of major technology companies have been focused on. These developments may be a harbinger of new regulations that will shape the future of digital services in Europe.