Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China 02nd May 2025 The Irish Data Protection Commission has today announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data [1] of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR. The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China [2] and its transparency requirements [3]. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe. DPC Deputy Commissioner Graham Doyle commented: “The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries. TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.” The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case. Erroneous information submitted to Inquiry Throughout the Inquiry, TikTok informed the DPC that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry. Deputy Commissioner Doyle added that “The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU