ByteDance’s TikTok has been hit with a substantial €530 million ($600 million) fine by the European Union for unlawfully transferring user data to China, violating the bloc’s stringent privacy regulations. The penalty was issued by Ireland’s Data Protection Commission (DPC), which serves as TikTok’s lead EU regulator, given the company’s European headquarters in Dublin.
Breach of GDPR Rules
The DPC concluded that TikTok had breached the General Data Protection Regulation (GDPR) rules, citing unauthorized data transfers. TikTok has been given six months to cease these illegal transfers. The fine comes after TikTok’s admission in April that European user data had been stored on servers located in China, which contradicted previous claims made during the investigation.
The DPC also criticized TikTok for failing to protect user data from potential access by Chinese authorities, citing concerns under Beijing’s national security laws. Deputy Commissioner Graham Doyle emphasized that TikTok did not adequately address the risk of Chinese authorities accessing personal data under laws such as anti-terrorism and counter-espionage measures, which differ significantly from EU standards.
TikTok’s Response
In reaction to the fine, TikTok announced it would appeal the decision, maintaining that it had never received a data request from Chinese authorities, nor had it shared any European user data with them.
Ongoing Challenges for TikTok
This penalty ranks as the third-largest fine under the EU’s GDPR framework, following similar penalties against Meta Platforms Inc. (€1.2 billion) and Amazon (€746 million). The fine also follows a €345 million penalty imposed on TikTok in 2023 for mishandling children’s personal data.
The investigation into TikTok began in 2021, with concerns that Chinese engineers working on the app could access European user data. The DPC has long warned about Big Tech companies transferring data to jurisdictions with weaker privacy protections.
Broader Scrutiny Beyond Privacy
In addition to privacy concerns, TikTok faces an ongoing probe under the EU’s Digital Services Act for allegedly failing to prevent the spread of fake accounts and foreign interference during Romania’s 2024 presidential election. The platform’s addictive design and its perceived failure to protect underage users have also drawn significant attention from regulators.
Global Scrutiny on TikTok
TikTok’s troubles extend beyond the European Union. In March 2025, the Nigeria Data Protection Commission (NDPC) announced an investigation into TikTok and Truecaller over data protection concerns. Dr. Vincent Olatunji, the National Commissioner and Chief Executive Officer of the NDPC, noted that the commission is reviewing the compliance of these companies with Nigeria’s data protection laws and will take appropriate regulatory actions based on its findings.
However, unlike the European regulators, who continue to levy heavy fines under the GDPR framework, the NDPC’s primary focus is on remediation, ensuring that data processors and controllers in Nigeria comply with proper data protection standards.
