TikTok – €530,000,000 Fine (Ireland, 2025)

In an investigation of their own volition, the Data Protection Commission (Irish DPA) launched an inquiry into the lawfulness of TikTok’s (controller) transfers of personal data of EEA users to China. The inquiry also looked at TikTok’s compliance with their transparency requirements. Throughout the investigation, TikTok maintained that they did not store EEA user data on their Chinese servers. In April 2025, TikTok corrected this and informed the DPC that due to an error, some EEA user data had in fact been stored on Chinese servers, but this was no longer the case. During the investigation, TikTok claimed that transfers via remote access do not require a transfer mechanism as mandated under Article 46(1) GDPR. In an assessment of Chinese laws provided by TikTok to the DPC during the investigation, TikTok had themselves identified that the Chinese legal framework would preclude a finding of “essential equivalence”, as required, in addition to the adoption of appropriate safeguards and supplementary measures. In this assessment, TikTok made reference to the Chinese Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law. The investigation also revealed that TikTok’s October 2021 EEA privacy policy did not name the third countries, such as China, where personal data was transferred. Furthermore, the policy did not specify that personal data held by TikTok in Singapore and the United States could be accessed remotely by personnel in China. The DPC found that TikTok had infringed Article 46(1) GDPR in respect of the transfers of the personal data of EEA users via remote access to China. The DPC held that TikTok had failed to verify, guarantee and demonstrate that the supplementary measures and standard contractual clauses (SCCs) relied upon were effective to ensure that the personal data of EEA users were afforded a level of protection essentially equivalent to that in the EU. The DPC also found that TikTok had infringe