The platform is accused of illegally transferring users’ personal data outside Europe, in breach of GDPR
The third-largest GDPR fine in history
The Irish Data Protection Commission (DPC) has hit TikTok with a staggering €530 million fine, ranking it as the third-largest sanction ever issued under the General Data Protection Regulation (GDPR). Only Amazon (€746 million) and Meta-Facebook (€1.2 billion) have received higher penalties.
At the core of the issue is the unauthorized transfer of EU users’ personal data to China, where parent company ByteDance is headquartered. The DPC determined that TikTok failed to comply with privacy obligations, exposing European data to significant risks.
Why Ireland decides for all of Europe
Under the GDPR, any non-EU company with its European base in a member state is subject to that country’s data authority. In TikTok’s case, its European headquarters in Ireland makes the DPC responsible for investigations and enforcement.
The fine follows a lengthy investigation, which found that TikTok did not offer sufficient safeguards to protect data transferred outside the EU, putting users’ rights at risk.
TikTok fights back: “We’ll appeal”
TikTok strongly disagrees with the DPC’s decision and has announced plans to file an appeal. The platform argues that it has already updated its data practices to comply with European standards and called the fine disproportionate.
Regardless of the outcome, the case sends a powerful message to big tech companies: if you operate in Europe, you must respect data protection laws — no matter where your servers are.
Transferring Data Outside the EU: What the GDPR Says
The General Data Protection Regulation (GDPR) restricts the transfer of personal data to countries outside the European Economic Area (EEA) unless those countries ensure an adequate level of data protection. In the absence of an adequacy decision by the European Commission, transfers can still occur if specific safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (BCRs) for intra-group data transfers
- Data Protection Impact Assessments (DPIAs) to assess and mitigate risks
- Participation in recognized data transfer frameworks, such as the EU-U.S. Data Privacy Framework
In the TikTok case, the Irish Data Protection Commission found that the company transferred European users’ data to China without sufficient safeguards, breaching Articles 44 to 49 of the GDPR. Since China is not covered by an EU adequacy decision, companies transferring data there must take extra precautions.
Implications for Businesses
This record-high fine underscores how European data protection authorities are ramping up GDPR enforcement, particularly in cases involving:
- Transparency in data processing
- Protection of minors
- Data security and localization
To remain compliant, companies should:
- Map international data flows and identify high-risk transfers
- Assess the legal basis for each transfer and apply necessary safeguards
- Review contracts with vendors and partners outside the EEA
- Implement encryption, anonymization, and privacy-by-design measures
Sign up for the newsletter. Stay updated!
We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.
