DPC (Ireland) - TikTok

DPC - TikTok
Authority:	DPC (Ireland)
Jurisdiction:	Ireland
Relevant Law:	Article 13(1)(f) GDPR Article 46(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	03.02.2025
Decided:	02.05.2025
Published:	02.05.2025
Fine:	530,000,000 EUR
Parties:	TikTok
National Case Number/Name:	TikTok
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	DPC (in EN)
Initial Contributor:	cwa

The DPA fined TikTok €530 million for the unlawful transfer of personal data to China and the failure to comply with their transparency obligations, in violation of Article 46(1) & 13(1)(f) GDPR.

English Summary

Facts

In an investigation of their own volition, the Data Protection Commission (Irish DPA) launched an inquiry into the lawfulness of TikTok’s (controller) transfers of personal data of EEA users to China. The inquiry also looked at TikTok’s compliance with their transparency requirements.

Throughout the investigation, TikTok maintained that they did not store EEA user data on their Chinese servers. In April 2025, TikTok corrected this and informed the DPC that due to an error, some EEA user data had in fact been stored on Chinese servers, but this was no longer the case.

During the investigation, TikTok claimed that transfers via remote access do not require a transfer mechanism as mandated under Article 46(1) GDPR. In an assessment of Chinese laws provided by TikTok to the DPC during the investigation, TikTok had themselves identified that the Chinese legal framework would preclude a finding of “essential equivalence”, as required, in addition to the adoption of appropriate safeguards and supplementary measures. In this assessment, TikTok made reference to the Chinese Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law.

The investigation also revealed that TikTok’s October 2021 EEA privacy policy did not name the third countries, such as China, where personal data was transferred. Furthermore, the policy did not specify that personal data held by TikTok in Singapore and the United States could be accessed remotely by personnel in China.

Holding

The DPC found that TikTok had infringed Article 46(1) GDPR in respect of the transfers of the personal data of EEA users via remote access to China. The DPC held that TikTok had failed to verify, guarantee and demonstrate that the supplementary measures and standard contractual clauses (SCCs) relied upon were effective to ensure that the personal data of EEA users were afforded a level of protection essentially equivalent to that in the EU.

The DPC also found that TikTok had infringed Article 13(1)(f) GDPR, the obligation on controllers to inform data subjects of their intention to transfer their personal data to a third country at the point of data collection in respect of their October 2021 privacy policy. The DPC held that TikTok failed to both name the third country in question (China), and to specify the manner in which this processing occurred (i.e. by remote access).

For these infringements, the DPC levied a fine of €530 million. This figure was comprised of a €485 million euro fine of their infringement of Article 46(1) and a €45 million euro fine for having infringed Article 13(1)(f). TikTok were also ordered to bring their processing into compliance within six months and ordered to suspend transfers to China if they fail to do so within that timeframe.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China

02nd May 2025

The Irish Data Protection Commission has today announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data [1] of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.

The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China [2] and its transparency requirements [3]. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe. 

DPC Deputy Commissioner Graham Doyle commented:

“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.

TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

Erroneous information submitted to Inquiry

Throughout the Inquiry, TikTok informed the DPC that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.

Deputy Commissioner Doyle added that

“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”

The DPC will publish the full decision and further related information in due course.

 

[1] The Law on Data Transfers outside the EU

The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.

Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).

To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.

Under the GDPR where an organisation (“Data Controller”) intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.

 

[2] The DPC’s Findings regarding the lawfulness of the Transfers

In this Inquiry TikTok Ireland was required to assess if Chinese law guaranteed an essentially equivalent level of protection to EU law. The Decision finds that TikTok’s transfers to China infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU. While TikTok maintains that transfers via remote access are not subject to the laws and practices in question, TikTok’s own assessment of Chinese law provided to the DPC during the Inquiry set out how aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law. The DPC had regard to this assessment and to the Chinese laws identified by TikTok which materially diverge from EU standards such as the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law.  In particular, the DPC found that TikTok’s failure to adequately assess the level of protection provided by Chinese law and practices to the personal data of EEA users the subject of transfers, which said personal data is processed in China, not only directly impacted TikTok’s ability to select appropriate safeguards and supplementary measures, but also prevented TikTok from verifying and guaranteeing an essentially equivalent level of protection.

In exercising corrective powers, the DPC also considered ongoing changes brought about by TikTok under “Project Clover”. Notwithstanding these changes, the DPC found that it is appropriate, necessary and proportionate to order the suspension of the Data Transfers and to order TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of 6 months from the period allowed for an appeal against the DPC’s final Decision. The DPC considers 6 months to being a reasonable period to provide TikTok to put an end to the transfers in the circumstances.

 

[3] The DPC’s Findings regarding Transparency

Article 13(1)(f) GDPR requires data controllers to provide data subjects with information on that controller’s transfers of personal data to a third country. The DPC considered TikTok’s October 2021 EEA Privacy Policy and found that this policy was inadequate in two key respects for the purposes of Article 13(1)(f) GDPR.

First, TikTok’s 2021 Privacy Policy did not name the third countries, including China, to which personal data was transferred. Second, the 2021 Privacy Policy did not explain the nature of the processing operations that constitute the transfer. Specifically, the 2021 Privacy Policy failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China.

TikTok updated its Privacy Policy during the course of the Inquiry and provided its December 2022 EEA Privacy Policy to the DPC. That Privacy Policy did identify the third countries to which EEA user data was transferred. That Privacy Policy also informed EEA Users that personal data was stored on servers in the United States and Singapore, and was the subject of remote access by entities in TikTok’s corporate group located in Brazil, China, Malaysia, Philippines, Singapore, and the United States.

The DPC assessed TikTok’s December 2022 EEA Privacy Policy as compliant with the requirements of Article 13(1)(f) GDPR in terms of the Data Transfers subject to the material scope of the Decision. Therefore, the duration of the infringement of Article 13(1)(f) GDPR in the Decision relates to the period from 29 July 2020 to 1 December 2022.

The DPC imposes administrative fines totalling €530 million in this Decision, consisting of a fine of €45 million for its infringement of Article 13(1)(f) GDPR, and a fine of €485 million for its infringement of Article 46(1) GDPR.