TikTok Fined €530M for Sending EU Data to China

• .What: TikTok illegally transferred EU user data to China without safeguards.
• .Who: EEA TikTok users whose data was accessed by ByteDance staff in China.
• .Data Exposed: User profiles, behavioral data, messages, and ad targeting data.
• .Outcome: Irish DPC fined TikTok EUR 530M; compliance order within six months.

The Irish Data Protection Commission opened its investigation into TikTok's international data transfer practices in September 2021, following the landmark CJEU Schrems II ruling that invalidated the EU-US Privacy Shield and imposed strict requirements on transfers to countries without adequate data protection.

The investigation examined whether TikTok had implemented legally sufficient safeguards for transferring EEA user data to China, a jurisdiction that does not benefit from an EU adequacy decision under GDPR Article 45.

Over the course of the nearly four-year investigation, the DPC found that TikTok Technology Limited - the Irish-registered entity that serves as the GDPR data controller for EEA users - had systematically transferred user data to servers in China where it was accessed by personnel of ByteDance, TikTok's parent company.

The data included user profiles, behavioral engagement data, direct messaging content, social graph information, and advertising targeting profiles.

The transfers occurred without the implementation of adequate supplementary measures required under GDPR Articles 44 through 49 to compensate for the absence of an adequacy decision.

The DPC determined that TikTok's Transfer Impact Assessment - the document required to evaluate whether the destination country's legal framework provides essentially equivalent protection to EU law - was fundamentally deficient.

China's National Intelligence Law of 2017 requires Chinese organizations and citizens to support and cooperate with national intelligence work.

The DPC found that TikTok failed to adequately assess this risk or implement technical measures sufficient to prevent Chinese authorities from accessing EEA user data.

In May 2025, the DPC issued a EUR 530 million fine - EUR 485 million for transfer violations and EUR 45 million for transparency failures - along with an order to bring processing into compliance within six months or face suspension of all data transfers to China.

TikTok announced its intention to appeal, citing its ongoing "Project Clover" initiative to establish European data centers. The DPC noted that Project Clover remained incomplete at the time of the decision.

• .EU/EEA user profile information including usernames, dates of birth, email addresses, phone numbers, and IP addresses transferred to ByteDance servers in China
• .Behavioral and engagement data including video watch history, content interaction patterns, search queries, and algorithmic recommendation inputs
• .Content creation metadata including geolocation tags, device identifiers, and network information
• .Direct messaging content and social graph data including follower/following relationships
• .Advertising profile data including inferred interests and cross-platform tracking identifiers

The DPC's investigation, initiated in September 2021 and concluded in May 2025, centered on TikTok's systematic transfer of EEA user data to personnel in China.

The primary violations fell under GDPR Articles 44 through 49. China does not benefit from an EU adequacy decision under Article 45. The DPC found that TikTok's Transfer Impact Assessment was fundamentally deficient, failing to adequately assess the risk posed by Chinese national security laws.

The fine comprised EUR 485 million for transfer violations and EUR 45 million for transparency failures.

TikTok announced its intention to appeal, arguing that its "Project Clover" initiative establishing European data centers had addressed concerns, but the DPC noted Project Clover remained incomplete.

EUR 530 million. The largest GDPR fine ever imposed for international data transfers. TikTok did not suffer a cyberattack. No threat actor was involved.

The company made a deliberate architectural decision to route EEA user data to servers in China - a jurisdiction where national security law compels organizations to cooperate with intelligence services - without implementing the supplementary technical measures required by GDPR Chapter V. The DPC's four-year investigation documented a systematic failure to comply with transfer requirements that have been legally binding since the Schrems II ruling in July 2020. Every control below addresses a specific compliance failure that the DPC identified and that any organization transferring data outside the EEA must implement.

The foundational failure was TikTok's deficient Transfer Impact Assessment (TIA).

Any organization transferring personal data outside the EEA to a country without an adequacy decision must conduct a TIA that honestly evaluates whether the destination country's legal framework provides essentially equivalent protection to EU law.

For China, this assessment must address Article 7 of the National Intelligence Law, which requires Chinese organizations and citizens to support national intelligence work.

A TIA that does not explicitly evaluate and document the risk posed by such laws - and articulate the specific supplementary measures implemented to mitigate that risk - will not survive regulatory scrutiny. The TIA is not a checkbox exercise.

It is a legal document that must demonstrate, with specificity, how technical and organizational measures compensate for the absence of adequate legal protections in the destination country.

When a TIA identifies that the destination country's legal framework does not provide equivalent protection, the transferring entity must implement supplementary technical measures that render the data unintelligible to any party - including the data importer and local authorities - that does not have authorization under EU law.

Encryption with keys held exclusively in the EEA is the primary mechanism.

Data transferred to servers in China must be encrypted in transit and at rest using AES-256, with encryption key management infrastructure physically located within the EEA and legally structured so that no entity subject to Chinese jurisdiction has access to the keys.

If the data must be processed in cleartext by personnel in China - as was the case with TikTok's content moderation and algorithmic operations - then the transfer cannot be lawfully made under current GDPR jurisprudence without additional structural safeguards.

TikTok's "Project Clover" initiative - establishing European data centers to localize EEA user data - represents the correct architectural direction but was incomplete at the time of enforcement.

Data localization requires that all processing of EEA user data occurs within EEA-based infrastructure, with access controls that prevent personnel in non-adequate jurisdictions from accessing the data in cleartext.

This requires not only physical data center presence in Europe but also access management architecture that enforces jurisdictional boundaries at the technical level.

Attribute-based access controls (ABAC) that evaluate the requester's physical location, jurisdictional authority, and employment entity before granting access to EEA user data must be enforced at the application layer, not merely at the network layer.

The EUR 45 million transparency component of the fine addresses TikTok's failure to adequately inform users about international transfers.

GDPR Articles 13 and 14 require clear, specific disclosure of the countries to which personal data is transferred, the legal basis for the transfer, and the safeguards in place.

Privacy notices that refer generically to data being processed by "global affiliates" or "group companies" without naming China as a destination and without disclosing the implications of Chinese national security law do not meet the transparency standard.

Any organization operating in the EEA that transfers data to non-adequate jurisdictions must name each destination country in its privacy notice, identify the specific GDPR transfer mechanism relied upon for each country, and describe the supplementary measures in place.

The difference between a compliant privacy notice and a non-compliant one is not legal sophistication - it is willingness to be specific about where user data actually goes.

Irish DPC Decision IN-21-9-3, CJEU Schrems II ruling (C-311/18), TikTok Project Clover, National Intelligence Law of China