The Irish Data Protection Commission (DPC) has imposed a substantial fine of €530 million on TikTok for alleged violations of the European Union’s General Data Protection Regulation (GDPR). This ruling underscores the strict enforcement of data privacy laws in Europe, particularly concerning the transfer of user data beyond the European Economic Area (EEA). The DPC stated that TikTok had not adequately safeguarded the personal data of its EEA users, as remote access to this data was granted to staff located in China.
In a statement regarding the fine, Graham Doyle, DPC’s deputy commissioner, expressed concerns about TikTok’s failure to undertake necessary assessments regarding potential access by Chinese authorities to EEA personal data. According to Doyle, TikTok’s initial claims that no user data was stored on servers in China were later contradicted by an admission that some erroneously stored data was found in February 2025. The Irish regulator is contemplating further regulatory action following these developments, aiming to ensure that stringent protections are in place.
TikTok has formally contested the DPC’s decision, arguing that the ruling does not adequately consider the company’s significant investment in its Project Clover data security initiative. This €12 billion project aims to reinforce data protections and involves the construction of a data center in Finland. Christine Grahn, TikTok’s head of policy and government relations in Europe, highlighted the initiative’s independent oversight by NCC Group and asserted that the company’s data protection measures are among the most stringent in the industry.
The DPC’s ruling is part of a broader trend towards increased regulatory scrutiny on data sovereignty, which has significant implications for organizations handling personal data across borders. Experts warn that companies must be vigilant in complying with evolving data sovereignty regulations, which aim to protect user data in an interconnected world. This decision follows a similar major fine of €1.2 billion imposed on Meta by the DPC in 2023.