Irish Data Protection Commission Fines TikTok Over EEA Data Transfers to China

PDF

On May 2, 2025, the Irish Data Protection Commission (“DPC”) issued a decision, as lead supervisory authority, finding that TikTok infringed the GDPR regarding (a) its cross-border transfers of EEA User Data to China, and (b) violated the GDPR’s transparency requirements.  As a result, TikTok must pay an administrative fine totaling 530 million euros, and it must bring its processing into compliance within 6 months. The DPC also suspended any further transfers of EEA data to China if its processing is not brought into compliance within this timeframe.

Throughout the Inquiry, TikTok had initially informed the DPC that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025, where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.

Cross-Border Transfer Requirements

The European Commission has issued adequacy decisions on a number of third countries, but no adequacy decision had been made with respect to China, meaning the cross-border transfers of EEA data must be accompanied by the safeguards outlined in Article V of the GDPR, such as standard contractual clauses or other supplementary measures. In such cases, the burden is placed on the organization (TikTok) to “verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.”

In this Inquiry, therefore, TikTok (Ireland) was required to assess if Chinese law guaranteed an essentially equivalent level of protection to EU law. The DPC found that TikTok’s transfers infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.

Although TikTok maintained the transfers via remote access are not subject to the laws and practices in question, TikTok’s own assessment of Chinese law provided to the DPC during the Inquiry set out how aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law. The DPC reviewed this assessment as well as the Chinese laws identified by TikTok, which materially diverge from EU standards such as the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law.  In particular, the DPC found that TikTok’s failure to adequately assess the level of protection provided by Chinese law and practices to the personal data of EEA users subject to such transfers, “which not only directly impacted TikTok’s ability to select appropriate safeguards and supplementary measures, but also prevented TikTok from verifying and guaranteeing an essentially equivalent level of protection.”

Transparency

Article 13(1)(f) GDPR requires data controllers to provide data subjects with information on that controller’s transfers of personal data to a third country. In reviewing its transparency compliance, the DPC considered TikTok’s October 2021 EEA Privacy Policy and found it inadequate in two key respects:

• First, it did not name the third countries, including China, to which personal data was transferred.
• Second, it did not explain the nature of the processing operations that constitute the transfer. Specifically, it failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China.

During the course of the inquiry, TikTok updated its Privacy Policy and provided its December 2022 EEA Privacy Policy to the DPC. The revised policy did identify the third countries to which EEA user data was transferred, and also informed EEA Users that personal data was stored on servers in the United States and Singapore, and was the subject of remote access by entities in TikTok’s corporate group located in Brazil, China, Malaysia, Philippines, Singapore, and the United States.  The DPC found the 2022 policy to be compliant with the requirements of Article 13(1)(f) GDPR in terms of the Data Transfers subject to the material scope of the Decision. Therefore, the duration of the infringement of Article 13(1)(f) GDPR was limited to the period between 29 July 2020 and 1 December 2022.

Sanctions

The DPC imposed administrative fines totaling €530 million: €45 million for its infringement of Article 13(1)(f) GDPR (transparency) and a fine of €485 million for its infringement of Article 46(1) GDPR (transfers).