EU Fines TikTok €530 Million for Mishandling User Data Transfers to China

The EU has imposed a €530 million penalty on TikTok for passing European users’ personal data to China without adequate protection. Led by the Irish Data Protection Commission (DPC), the investigation stated that TikTok broke core GDPR rules. The penalty comes after the company admitted that it stored and deleted European data in China, going against its previous denials.

The ruling has reopened arguments surrounding foreign access to user information, particularly in light of increasing tensions in geopolitics. TikTok will appeal, but the case may redefine online regulation on the continent and internationally.

EU Makes TikTok Answer for Privacy Slip-Ups

Ireland’s Data Protection Commission issued the fine on Friday. It validated that TikTok permitted European users’ personal information to be accessed in China. The DPC stated that TikTok could not demonstrate that it provided protection of the same level as EU standards. It highlighted the dangers posed by access under Chinese anti-terror and counter-espionage legislation. Those laws differ dramatically from EU practices.

The regulator further added that TikTok failed to notify users regarding data transfers and overseas access. This was between 2020 and 2022. For that, the regulator issued a €45 million portion of the fine for lack of transparency.

TikTok Changes its Story on China-Based Data Storage

Early on, TikTok asserted that it did not keep or process European data in China. But while under investigation, it changed its tune. In April, the company acknowledged that it had retained data in China before it deleted it. That acknowledgment proved a turning point for the DPC’s ruling.

TikTok now maintains European data is stored in Norway, Ireland, and the United States. It maintains Chinese staff cannot access sensitive information such as IP addresses or phone numbers. The platform also assures that it has never shared European user data with Chinese authorities.

US and Global Pressure Mounts on TikTok

The penalty comes as TikTok is under increasing scrutiny in the US. Congress has enacted a law compelling ByteDance to divest its US interest in TikTok or risk a ban. President Donald Trump has twice extended the deadline for the sale, now due on June 19. The platform has 170 million US users at risk.

Outside the US, nations such as Pakistan, Nepal, and France (in New Caledonia) have imposed temporary bans. They claim fears over misinformation, toxic content, and user isolation due to TikTok’s recommendation algorithms.

EU’s Wider Crackdown on TikTok’s Data Practices

TikTok has been fined by the DPC before. The company was fined €345 million in 2023 for mishandling children’s data. That judgment referenced privacy setting failures and lack of transparency.

In turn, TikTok introduced the Clover initiative in Europe. The program guarantees €12 billion of data infrastructure investment within 10 years. Nevertheless, the recent ruling indicates that previous practices are still under close examination.

The DPC ruling comes with more than a fine. TikTok is required to get its data processing fully GDPR compliant within six months. Failure to do so will see the EU suspend all data transfers to China.

New Digital Sovereignty and Data Accountability Era?

This case is emblematic of the EU’s digital sovereignty commitment. It sends a signal to the world’s tech giants: EU data regulations apply regardless of where the parent company resides. For TikTok, it could be the precedent for governments’ attitudes towards foreign-owned platforms.

While TikTok maintains it has done nothing wrong and is going to appeal, the case reopens a contentious issue. How can democracies protect user data in an age of global platforms and geopolitical competition?