On 02 May 2025, the Data Protection Commission ("DPC"), the Irish data protection regulator, finalised its decision to fine TikTok Technology Limited ("TikTok") €530 million. This decision comes following an inquiry into TikTok's transfers of personal data to the People's Republic of China ("China") which was launched in September 2021.
This is the first international transfer enforcement relating to China, and the first that concerns remote access as opposed to data storage. TikTok was found to have allowed remote access to EEA user personal data for around 1.5 years, which resulted in user data being processed on devices in China.
The decision includes (i) administrative fines of €530 million, (ii) an order mandating TikTok to bring its processing into compliance within six months, and (iii) an order suspending TikTok's transfers to China if it does not comply with (ii).
The full decision and further related information is set to be published by the DPC in due course.
Law on data transfers
A key principle of international transfers of personal data under the EU General Data Protection Regulation ("GDPR") is that personal data must be subject to an essentially equivalent level of protection to that offered throughout the European Economic Area ("EEA"). Under Chapter V of the GDPR, personal data can be transferred outside of the EEA where the recipient jurisdiction has been approved as adequate by the European Commission, or where other derogations or safeguards (the most commonly used being the Standard Contractual Clauses ("SCCs")) are in place. The transferring organisation must also ensure that the recipient jurisdiction guarantees a level of protection essentially equivalent to that provided under GDPR.
Findings of the DPC
TikTok relied on the SCCs for its transfers of personal data to China and carried out a Transfer Risk Assessment (“TRA”) to evaluate the equivalence of Chinese law. The DPC reviewed this assessment which identified examples of Chinese laws that materially diverge from EU standards, including the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law.
The DPC noted that "aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law" and that TikTok failed to "adequately assess the level of protection provided by Chinese law and practices". The Deputy Commissioner emphasised that when relying on the SCCs, an organisation’s TRA must relate to the application of the jurisdiction’s laws and practices to the specific transfers that are being proposed, and cannot be high-level only. He said that while TikTok acknowledged divergences between EU and Chinese law in general terms, it did not adequately consider them in the context of the specific circumstances (in particular the remote access which resulted in EEA personal data being processed in China).
In addition, TikTok focused on the risk of Chinese laws being applied to data stored outside of China, concluding that there was no extra-territorial effect. However, the EEA user data was in fact being processed in China as a result of the remote access, which was not considered by TikTok as part of its TRA.
The DPC’s conclusion was that the transfers infringed Article 46(1) GDPR as TikTok did not adequately verify and demonstrate that the SCCs and additional measures could provide an essentially equivalent level of protection as that guaranteed under GDPR.
Inaccurate information provided to the inquiry
The DPC noted that TikTok had provided inaccurate information to the inquiry, as it initially stated that EEA user data was not located in China, but later discovered and reported (in February 2025) that limited amounts of this data had in fact been stored on servers in China.
This is a point taken seriously by the DPC, with the Deputy Commissioner saying that "whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities." Note that this issue is being considered separately and is not part of the current decision and fine.
This highlights the critical importance of accurately mapping all data storage and access across an organisation's global operations. The DPC appears to be taking a relatively hardline stance here, despite the limited amounts of data impacted and the remedial measures taken by TikTok.
Transparency
In a separate issue under the inquiry, the DPC reviewed TikTok's 2021 EEA Privacy Policy and found that it failed to meet Article 13 GDPR transparency obligations, which require controllers to provide information to data subjects on the transfer of their personal data to third countries. The DPC found that the 2021 notice was insufficient as it (i) did not specify the third countries, such as China, where personal data was being transferred, and (ii) failed to detail the processing operations involved in these transfers, notably omitting to notify users that personnel in China had remote access to data stored in Singapore and the United States.
The Deputy Commissioner confirmed that it is not sufficient to simply state that personal data will be “transferred outside of the EEA” – notices need to specify and name the jurisdictions to which the data will be sent (except for those where an adequacy decision is being relied upon). The DPC and other European DPAs have this expectation of all controllers, so that data subjects can understand how and where their data is being processed and make informed decisions on whether to engage with the services.
During the inquiry, TikTok revised its Privacy Policy and submitted an updated 2022 version, which the DPC deemed compliant with Article 13 requirements, determining that the infringement period was from July 2020 to December 2022. The DPC fined TikTok €45 million for this infringement (with the other €485 million being for its infringement of international transfer provisions).
This serves as a reminder to ensure that all privacy notices are up to date, and that any relevant transfers (including remote access) are disclosed to data subjects.
Application to other organisations
Although the DPC will only be the Lead Supervisory Authority for organisations whose European headquarters are in Ireland, this decision demonstrates the EU's focus on international transfers to China, and willingness to hand out large fines despite remediation efforts. It would therefore be prudent for organisations to consider the status of its own international transfers of personal data, including:
confirming that all transfers of EEA personal data to China, including remote access, are adequately mapped;
ensuring that any TRA in relation to China is thorough, fully examines the level of protection offered by Chinese laws and practices, and considers the application to the specific transfers proposed;
ensuring that essential equivalence can be guaranteed before beginning transfers, continuing to monitor the laws and practices in third countries where personal data is shared, and stopping any transfers where essential equivalence can no longer be guaranteed; and
conducting a regular review of privacy notices to ensure they are current, accurate, and reflective of the organisation’s actual practices regarding the management of international data transfers.
TikTok's response and Project Clover
TikTok has stated that it disagrees with, and plans to appeal, the DPC's decision. Central to its response is "Project Clover", described as a "€12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere". TikTok details safeguards which include independent monitoring by an external cybersecurity company (NCC Group), dedicated European data enclaves hosted across data centres in Europe and the United States, additional digital security barriers, and privacy-enhancing technologies such as differential privacy and encryption on-access.
The DPC's decision says that it considered ongoing changes under Project Clover but still found it appropriate, necessary and proportionate to issue the orders. Note that Project Clover appears to have been implemented in 2023, while the DPC's decision relates to an earlier period of non-compliance. However, some of the safeguards included in Project Clover may prove to be a benchmark for international transfers in other organisations.
Requests for access by Chinese authorities
It is noted that the actual track record of requests for access by governmental authorities does not appear to be a factor mentioned in the DPC's initial description of the fine. This issue forms part of the complaint against TikTok and other major Chinese companies submitted by privacy-focused non-profit NOYB. However, in TikTok's response it states that "the DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them", suggesting that this topic is considered within the report.
Next steps
The Deputy Commissioner confirmed that TikTok received the final decision in the week commencing 28 April 2025. It now needs to review and identify any confidential or commercially sensitive material (e.g. details of technical supplementary measures) to be redacted before the full decision can be published. The DPC will then review those proposals and redact accordingly before releasing the decision. Once that process had been completed, the Deputy Commissioner noted that he hoped it would be published “imminently”.
