New

Tiktok Fined €530m By Irish Regulator For Data Transfers To China; Is It A Habitual Offender?

The Data Protection Commission (DPC) of Ireland has imposed a fine of €530 million on TikTok, the short-form video platform, the agency announced on May 2, 2025. The company came under scrutiny from the European agency for failing to comply with the EU’s General Data Protection Regulation (GDPR). In addition to the hefty fine, the DPC has ordered the social media platform to comply with the law within six months.

TikTok’s latest regulatory troubles in the EU:

The Irish DPC launched an inquiry to examine whether the short-form video platform is lawfully transferring the data of its users in the European Economic Area (EEA) to China. The commission also investigated whether the company’s transparency requirements, in relation to such data transfers outside of the EEA, are in accordance with the GDPR in the EU.

TikTok violated the GDPR by transferring data of its EU users to China and by failing to meet the law’s transparency requirements. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within six months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe, according to the order published by the regulatory body.

TikTok Violated GDPR?

After its inquiry, the Irish DPC concluded that TikTok violated two provisions of the GDPR: Article 46(1) and Article 13(1)(f).

transfer of data to a third country

Article 45(1) of the GDPR states that the European Commission may authorise the transfer of personal data from the EEA to a third country if that country or one of its territories or specified sectors in the country ensures an adequate level of data protection.

The European Commission has granted authorization only to countries like Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, the USA, and Uruguay, according to the DPC.

Since China is not on this list, TikTok’s transfer of personal data of its EEA users to the country violates Article 45.

not up to gdpr’s standards

To determine whether TikTok’s data transfer to China was legal, the data protection body asked TikTok’s Irish subsidiary to assess whether Chinese law provided protection equivalent to that mandated by the GDPR.

Article 46(1) of the GDPR allows an entity to transfer data to a third country, even if it fails to comply with Article 45, only if the entity has provided appropriate safeguards, equivalent to the EU’s GDPR, while transferring and using the data. However, the DPC concluded: “TikTok’s transfers to China infringed GDPR because it failed to verify, guarantee, and demonstrate that the supplementary measures and the Standard Contractual Clauses (SCCs) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.”

TikTok argued that such remote access transfers do not fall under the regulation’s purview and submitted its own assessment of Chinese law, which it claimed “precludes a finding of essential equivalence” to EU regulations.

Failed to name the third country

Article 13(1)(f) of the GDPR requires entities that collect personal data to inform the users whose data is being collected about the transfers to a third country, in this case, China. According to the DPC, the regulatory authority considered TikTok’s October 2021 EEA Privacy Policy. The body discovered that the aforementioned policy was “inadequate in two key respects.”

The social media platform’s 2021 Privacy Policy did not name the third countries, including China, to which the company transferred personal data.
The 2021 Privacy Policy of the company failed to specify that the data processing included remote access to personal data that it stored in Singapore and the US by its personnel based in China.

As a result, the DPC imposed administrative fines totalling €530 million, €45 million for the violation of Article 13(1)(f) and €485 million for breaching Article 46(1).

TikTok’s Regulatory Troubles: A Global Snapshot

TikTok has faced repeated scrutiny from European authorities over its data and privacy practices.

fined for breaching eu’s privacy law

In September 2023, the DPC reportedly imposed a fine of €345 million on TikTok for violating the privacy laws in the EU. The company was, according to the regulator, processing children’s personal data in the EU. The DPC said that the platform breached various privacy laws between July 31, 2020, and December 31, 2020. This was reportedly the first instance of a major regulatory action against TikTok in the EU.

As per the report, back then, the company disagreed with the regulator’s decision, particularly with the amount it had been fined. TikTok also said that most of DPC’s criticisms were not relevant anymore, as it had already introduced several measures even before the probe against it began.

The DPC found that TikTok had set accounts of users under 16 to “public” by default and failed to verify if a user was a child’s parent or guardian before enabling the ‘Family Pairing’ feature.

Breached UK’s law

Similarly, in April 2023, the United Kingdom’s (UK) Information Commissioner’s Office (ICO) imposed a fine of £12.7 million on the social media platform for breaching multiple aspects of the UK’s data protection law, including the unlawful use of children’s personal data.

The data protection regulator stated that the company allowed about 1.4 million children under the age of 13 in the UK to use the platform in 2020. This, according to the Irish DPC, violated the company’s own rules prohibiting underage children from creating accounts. The regulator discovered this during its investigation.

Furthermore, the company failed to obtain parental or guardian consent, as mandated under the UK’s data protection regulations, despite knowing that children may have been using its short-form video app. The ICO also found that the company lacked adequate checks and balances to identify and remove underage users from the platform.

India’s TikTok ban:

Back in June 2020, India’s Ministry of Electronics and Information Technology (MeitY) banned 59 Chinese apps, including TikTok, citing threats to national security and public order. The action was taken under Section 69A of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

MeitY stated that these apps were engaged in activities “prejudicial to sovereignty and integrity of India, defence of India, security of state and public order.” The Ministry of Home Affairs’ Indian Cybercrime Coordination Centre (I4C) had also recommended the ban.

It is important to note here that although the government had expressed concerns regarding the social media app’s data sharing policy and citizens’ apprehensions, the ban on TikTok had come amid rising geopolitical tensions between India and China.

Irish DPC Action Against Others

The EU’s data protection watchdog strictly enforces regulations and imposes hefty fines on several tech giants, including Meta and Elon Musk’s microblogging platform.

In April 2025, the DPC announced that it had started its inquiry into X Internet Unlimited Company (XIUC), the Irish division of X (formerly Twitter), for allegedly processing the personal data of its users in the EU. The regulator said that the company was using the data to train its AI chatbot, Grok. The inquiry is examining compliance with several key provisions of the EU’s GDPR, including lawfulness and transparency of data processing by X.

Before that, in January 2023, the DPC fined Meta for illegally processing the data of its users for showing them targeted ads. The EU watchdog had imposed a fine of €390 million on Instagram’s parent company for this particular malpractice. The DPC also ordered Meta to comply its ad-serving practices as per the EU’s GDPR within three months.

Earlier, in September 2022, the DPC decided to impose a fine of €405 million on the tech giant for failing to protect children’s rights while using their data on its social media platform, Instagram. The watchdog’s investigation into the matter found that Instagram set the newly registered accounts to “public” by default. The new users needed to manually change the account settings to “private” for privacy. It added that the children were also able to switch from a personal account to a business account after mandatorily showing an email address or a phone number associated with a business.