TikTok has been hit with a €530 million ($600 million) fine by its primary European Union privacy regulator over how it handles users’ personal data, especially regarding access from China. The Irish Data Protection Commission (DPC), which oversees major tech firms due to their EU headquarters being located in Ireland, stated that TikTok—owned by Chinese company ByteDance—did not ensure EU users’ data met the required standards of protection under EU law.
The regulator expressed concerns about the potential for Chinese authorities to access EU user data under national security laws, which TikTok itself acknowledged differ significantly from EU privacy regulations. Consequently, the DPC has ordered TikTok to halt any data transfers to China within six months if the platform fails to comply with EU standards.
In response, TikTok announced its intent to appeal the decision. The company argued that it adheres to the EU’s own legal frameworks, including standard contractual clauses, to provide restricted and controlled remote access to user data. It also emphasized that it implemented enhanced security measures in 2023, including independent oversight of remote data access and storing European data in facilities located in the EU and the United States.
TikTok, which has amassed 175 million users across Europe, claimed that it has never been asked to share EU user data with Chinese authorities and has never provided such data. However, during the DPC’s four-year investigation, the company recently disclosed that a small amount of user data was inadvertently stored in China earlier this year, though it has since been deleted.
This marks the second major penalty TikTok has faced from the Irish regulator. In 2023, it was fined €345 million for mishandling children’s personal data. The DPC has also taken action against other tech giants like Meta, X (formerly Twitter), and LinkedIn under the EU’s General Data Protection Regulation (GDPR), which allows for fines of up to 4% of a company’s global turnover.
 fine by its primary European Union privacy regulator over how it handles users'){kind=link}