TikTok failed to provide adequate safeguards to ensure European users’ personal data would not be accessed by Chinese authorities, according to the IDPC. What lessons does this enforcement hold for other companies?
Shutterstock.com/JarTee
TikTok has been fined €530 million (US$602 million) for EU General Data Protection Regulation (EU GDPR) violations, the Irish Data Protection Commissioner (IDPC) announced on 2 May 2025.
TikTok was found to have transferred personal data belonging to users in the European Economic Area (EEA) to China without appropriate safeguards. The company’s privacy policy was also in breach, as it did not provide sufficient transparency about data transfers outside the EEA.
A draft decision on the case was issued in February 2025. TikTok has been ordered to bring its processing into compliance within 6 months or suspend transfers of EEA personal data to China.
“TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” stated IDPC Deputy Commissioner, Graham Doyle.
The IDPC also raised concerns about the risk of Chinese authorities gaining access to EEA users’ personal data held by TikTok. TikTok is based in China, meaning it is subject to stringent anti-terrorism and counterespionage laws that require companies to submit their data to the Chinese Communist Party (CCP) if requested.
Other jurisdictions are also concerned about potential national security and privacy risks associated with TikTok and other Chinese-owned apps. The US passed a law requiring TikTok to divest from its Chinese-owned parent company or face a ban in 2024. Enforcement has so far been delayed while discussions about TikTok’s new potential ownership are ongoing.
Lexology sets out details of the fine and key lessons other businesses can derive from the case.
How did TikTok breach EU GDPR?
The IDPC’s latest EU GDPR fine against TikTok is for infringements linked to how the company transferred EEA’s users’ data to China.
TikTok used standard contractual clauses (SCCs), which are a valid transfer mechanism under EU GDPR. However, for transfers of personal data outside the EEA to be considered lawful, the transfer mechanism used must provide an level of protection that is equivalent to that guaranteed under EU law. TikTok failed to ensure this, breaching Article 46 EU GDPR, according to the IDPC.
The regulator said it had taken into account changes TikTok implemented through “Project Clover,” a programme the company claims will provide “additional protections” for EU users. As part of Project Clover, TikTok says it has already incorporated “security gateways” to prevent European users’ personal data from being accessed by its employees in China.
TikTok’s privacy policy was also found to be in breach of GDPR, as it was not sufficiently transparent – the non-EU countries, including China, to which personal data was transferred were not specified. The 2021 version of the policy also failed to explain the types of processing that would constitute a transfer.
The ICPC further accuses TikTok of submitting incorrect information to the inquiry. TikTok initially denied that any EEA users’ personal data was stored on servers located in China; however, the investigation revealed that this information was incorrect.
According to TikTok, the EEA data in question has now been deleted. The IDPC is investigating whether “further regulatory action” is warranted.
Key takeaways
From clarification about when transfer rules apply to ongoing fears about Chinese authorities gaining access to users’ personal data, here are some key takeaways from the ICPC’s enforcement against TikTok.
Privacy concerns linked to China persist
According to the ICPC, TikTok recognised that Chinese security laws “diverged materially” from EU standards, yet still failed to provide adequate protections to mitigate the risks to personal data.
Fears about Chinese-owned apps potentially providing a gateway for the CCP to access large quantities of European or American users’ personal data are mounting. TikTok has denied ever sharing US users’ data with the CCP; however, some former employees refute this.
Privacy authorities raised similar concerns when the Chinese AI app, DeepSeek surged in popularity earlier in 2025. National security concerns led to DeepSeek being blocked in Italy and its use being restricted by governments elsewhere.
The ICPC’s enforcement against TikTok seems to confirm that scrutiny over the privacy practices of Chinese-owned apps that are subject to the country’s far-reaching surveillance laws will continue to escalate.
Issues of remote access
Part of the ICPC’s enforcement relates to the fact that TikTok employees in China had remote access to personal data belonging to users in the EEA.
EU GDPR does not provide for a legal definition of “transfers to a third country” – “third country” refers to any country that is not part of the EU or EEA. However, the European Data Protection Board has clarified that transfer rules do apply if EU personal data is accessed remotely from a third country.
TikTok maintains that “transfers via remote access are not subject to the laws and practices in question.”
Nevertheless, this enforcement should signal to other companies that remote access to EU personal data poses a major EU GDPR compliance risk, if appropriate safeguards are not in place.
According to EDPB guidance, companies should “pay particular attention to the legal frameworks of the third country that may have an impact on its ability to respect EU GDPR,” which includes state surveillance laws.
Privacy policies must be transparent
€45 million (US$51 million) of the total fine against TikTok was for infringements linked to its privacy policy, highlighting the importance of companies ensuring their policies are thorough and transparent.
Under EU GDPR, privacy policies must provide a wide range of information, including whether personal data will be transferred to a third country, the transfer mechanism used and a full list of the countries to which data will be transferred.
For more information, companies can refer to Lexology’s checklist of what to include in an EU GDPR privacy notice.