On Friday 2 May, the Irish Data Protection Commission found TikTok guilty of transferring the personal data of some of its users in the European Economic Area (EEA) to China. This contravenes the General Data Protection Regulation (GDPR) that the Irish Data Protection Commission is responsible for enforcing. The decision includes administrative fines totalling €530 million and an order for TikTok to ensure its processing complies within six months. Should this not be the case, transfers by TikTok to China will have to be suspended.
The GDPR stipulates that personal data may only be transferred outside the EU under specific conditions, which have not been met in this case. China, for example, does not have a level of personal data protection in place that is stringent enough to meet these conditions. This is especially since there are suspicions about links between the Chinese government and TikTok’s parent company.
After opening an investigation in 2021, TikTok initially stated that it did not store any user data on servers in China, before informing the Data Protection Commission (DPC) in 2025 that personal data had been stored on servers in China. The information provided by TikTok during the investigation was therefore incorrect.
“While TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities”, said Deputy Commissioner Graham Doyle. (Original version in French by Léa Marchal)