€530 Million in Fines: TikTok’s Costly Data Transfer Mistake and GDPR Lessons Learned for other companies
The Irish Data Protection Commission (DPC) has fined TikTok €530 million for unlawfully transferring personal data of European users to China and failing to provide clear information about these transfers. The ruling follows an investigation into whether TikTok adhered to EU data protection rules (GDPR).
Reasons for the Fine?
TikTok allowed its staff in China to access data of users in the European Economic Area (EEA) without ensuring the same level of data protection as in the EU. The DPC found that TikTok’s data transfer agreements and security measures were not strong enough to protect EEA data from potential access by Chinese authorities.
What TikTok Did Wrong:
Failed to clearly inform users that their data could be accessed in China.
Provided incorrect information to investigators, initially claiming no EEA data was stored on Chinese servers, only to later admit some data was found there.
TikTok’s History of Fines: TikTok has been repeatedly fined for data protection violations across multiple jurisdictions:
2019 – United States: $5.7 million fine by the FTC for collecting personal data from children under 13 without parental consent.
2021 – Netherlands: €750 million for unlawful data processing and violations of children's data protection rights.
2023 – United Kingdom: £12.7 million (€14.5 million) fine by the ICO for mishandling children’s data and failing to obtain parental consent.
2023 – Ireland: €345 million fine by the DPC for making children’s accounts public by default and lacking transparency.
May 2025 – Ireland: €530 million fine by the DPC for unauthorized data transfers to China and misleading information to regulators.
What Could Have Prevented the Fine? TikTok’s primary misstep was transferring EEA user data to China without establishing legally sound safeguards. Ideally, the company should have avoided transferring data to jurisdictions that do not offer an equivalent level of data protection. If data transfer outside the EU was deemed necessary, TikTok could have implemented more comprehensive measures:
Data Localization: Storing and processing EEA user data within the EU would have minimized the risks associated with cross-border data transfers.
Data Protection Impact Assessments (DPIAs) and Gap Analysis: Conducting thorough DPIAs before initiating data transfers to China could have identified potential risks and informed the implementation of appropriate safeguards.
Transfer Impact Assessments (TIAs): Evaluating the risks of transferring personal data to a third country without an EU adequacy decision. It assesses the recipient country’s legal framework, potential risks to data subjects, and necessary safeguards to ensure GDPR compliance.
Binding Corporate Rules (BCRs): Establishing BCRs approved by EU data protection authorities would have provided a robust legal framework for intra-group data transfers, ensuring consistent data protection standards across all entities.
Standard Contractual Clauses (SCCs): While TikTok relied on SCCs, they failed to implement supplementary measures that would mitigate the risk of data access by Chinese authorities. These could include encryption protocols, access control mechanisms, and regular audits to verify compliance.
Transparency and Data Management: Companies should clearly communicate where user data is stored and how it is accessed. Privacy policies must be regularly updated to reflect any cross-border data transfers, especially to jurisdictions with differing data protection laws. Ensuring that data subjects are aware of potential data access by foreign authorities is also critical for maintaining transparency and regulatory compliance.
Lessons Learned and Strategic Actions: The TikTok case serves as a critical lesson for any organization handling EU data. Establishing comprehensive data governance frameworks, conducting risk assessments, and ensuring contractual safeguards are more than legal obligations, they are essential business strategies to mitigate financial and reputational risks. Implementing robust data protection measures can also position businesses as trusted data stewards, enhancing brand reputation and customer loyalty.
To effectively address these types of data protection risks, explore our targeted services:
Gap Analysis and In-Depth Data Protection Assessments: Identifying vulnerabilities and implementing tailored data protection strategies.
International Data Transfers: Establishing compliant frameworks for secure cross-border data transfers.
Role-Based Training on GDPR Compliance and Data Protection: Equipping your team with targeted knowledge to navigate complex data protection requirements.
To view the full details of the decision on the Irish DPC site click Here. For comprehensive insights into the latest GDPR fines in Europe visit the GDPR Enforcement Tracker. If you’re concerned about your organization’s compliance and potential risks, schedule a complimentary advisory session with us through our Contact Page
