Adapted by:
Javier Márquez
WriterI've been in media for over a decade, but I've been marveling at the possibilities that technology brings us much longer. I believe we live in a world where the digital revolution is changing everything and that Xataka is the best place to write about it.
Karen Alfaro
WriterCommunications professional with a decade of experience as a copywriter, proofreader, and editor. As a travel and science journalist, I've collaborated with several print and digital outlets around the world. I'm passionate about culture, music, food, history, and innovative technologies.
TikTok must pay about $600 million for violating the General Data Protection Regulation (GDPR). The social media platform, owned by ByteDance, allowed remote access from China to European user data without ensuring protection equivalent to EU standards. In February 2025, investigators discovered some of that data on Chinese servers, contradicting TikTok’s own statements.
The blow didn’t stop there. In addition to the fine, Ireland’s Data Protection Commission (DPC) gave TikTok six months to bring its data processing into compliance with GDPR. If the company fails to do so, it will have to suspend all data transfers to China.
What happened. The Irish DPC led the investigation because TikTok Technology Ltd. is based in Ireland. The final report found that TikTok didn’t ensure data protections equivalent to EU standards and didn’t adequately assess the risk of access by Chinese authorities.
Graham Doyle, deputy commissioner of the DPC, said this investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data under Chinese laws on anti-terrorism, counterespionage, cybersecurity and national intelligence that were identified as “materially diverging” from EU standards.
Doyle added that TikTok has “has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”
Fine breakdown. The total fine consists of two parts, linked to different GDPR articles:
- $550 million for violating Article 46(1), by transferring data from the European Economic Area to China without safeguards or guarantees of equivalent protection.
- $50 million for violating Article 13(1)(f), by failing to disclose the countries of data recipients—including China—in its October 2021 privacy policy. That violation extended from July 29, 2020, to Dec. 1, 2022, when TikTok updated the policy.
The background. The investigation began in 2021 after questions arose about whether engineers in China had access to European user data. TikTok claimed it didn’t store data in China but admitted remote access was possible.
Contradictions. In April 2025, TikTok told the DPC that it had discovered two months earlier that a limited amount of European data had been stored on Chinese servers—contradicting earlier statements. The company said it deleted the data, but the incident weighed heavily on the final ruling.
Why it matters. Under GDPR, personal data can only be transferred outside the EEA if the receiving country ensures an essentially equivalent level of protection. Because China lacks an “adequacy decision” from the European Commission, TikTok needed to apply additional safeguards, such as standard contractual clauses and risk assessments. It failed to do so.
TikTok’s response. The company said it will appeal the decision. According to Bloomberg, TikTok claims it never received a request for European user data from Chinese authorities and never provided such information.
Ireland’s role. Although the European Data Protection Board includes about 20 authorities, the Irish DPC leads in this case as TikTok’s primary EU regulator. It’s not the first time: In 2023, the Irish authority fined TikTok $390 million for failing to protect minors’ privacy.
Image | Solen Feyissa (Unsplash)
View 0 comments