← Back to Legal Enforcements

Irish DPC Fines TikTok €530 Million for China Data Transfer Failures

Published: 13th October 2025
Category: Legal Enforcements - International Data Transfers
Authority: Irish Data Protection Commission (DPC)
Case Reference: IN-21-9-2
Sanctions: €530 million total penalties

The Irish Data Protection Commission (DPC) has imposed a €530 million fine on TikTok Technology Limited for unlawfully transferring European user data to China without adequate safeguards. The 30 April 2025 decision (Case IN-21-9-2) found TikTok breached Articles 46(1) and 13(1)(f) GDPR by relying on Standard Contractual Clauses (SCCs) without properly assessing protection levels in China and failing to inform users transparently about international transfers. This landmark ruling establishes strict standards for data exporters dealing with jurisdictions presenting surveillance risks.

Background

The inquiry concerned TikTok Ireland, the Irish-established controller for European Economic Area (EEA) users of the TikTok platform. The DPC acted as lead supervisory authority under Article 56 GDPR, commencing an own-volition investigation in September 2021 into TikTok's data transfers to affiliated entities in China (China Group Entities) operated by parent company ByteDance.

Between July 2020 and December 2022, TikTok Ireland transferred personal data of EEA users to China through two mechanisms: the 2010 SCCs and subsequently the 2021 SCCs. The transfers occurred primarily through remote access by China-based personnel to servers storing EEA user data located outside China, enabling China Group Entities to access data for purposes including product development, user support, platform security, and content moderation.

The investigation examined whether TikTok complied with Chapter V GDPR requirements, particularly the obligation under Article 46(1) to use appropriate transfer tools and assess protection levels in destination countries. The inquiry also scrutinised transparency obligations under Article 13(1)(f), requiring controllers to inform data subjects about transfers to third countries and the safeguards applied.

Decision

The DPC found TikTok infringed Article 46(1) GDPR by failing to conduct an adequate assessment of Chinese law and practices before transferring data. The DPC determined TikTok did not demonstrate that Chinese law provided essentially equivalent protection to EEA standards, particularly regarding public authority access to personal data. TikTok's assessment was found deficient in several respects: it failed to adequately analyse specific Chinese surveillance laws (including the National Intelligence Law and Cybersecurity Law), underestimated the risk of government access, and did not sufficiently evaluate whether supplementary measures could address identified risks.

The DPC concluded that TikTok's reliance on SCCs was therefore unlawful. The Commission noted that while SCCs provide contractual safeguards, they cannot overcome deficiencies in the legal framework of the destination country. TikTok's transfer impact assessment was criticised for lacking rigour, depth, and objectivity, particularly in dismissing potential government access risks without adequate substantiation.

Additionally, TikTok violated Article 13(1)(f) by failing to provide data subjects with meaningful information about international transfers. The privacy policy did not adequately specify the recipients, purposes, and safeguards for transfers to China, thereby denying users the ability to understand and exercise their data protection rights.

Sanctions imposed:

  • €485 million fine for Article 46(1) breach (unlawful international transfers)
  • €45 million fine for Article 13(1)(f) breach (transparency failures)
  • Transfer suspension order requiring TikTok to cease transfers to China
  • Compliance order mandating remedial measures to bring processing into conformity with GDPR

Implications

This decision sends a clear signal that reliance on SCCs for transfers to jurisdictions with expansive surveillance powers requires rigorous, evidence-based assessments. Data controllers cannot rely on generic or superficial analyses when evaluating protection levels in destination countries, particularly where national security or intelligence laws grant broad government access powers.

Key compliance takeaways:

  • Transfer impact assessments must be robust. Organizations must conduct detailed, jurisdiction-specific assessments examining not only written laws but also practical enforcement, oversight mechanisms, and remedies available to data subjects. Statements or generalized analyses will not suffice.
  • Transparency is non-negotiable. Privacy policies must clearly identify third countries receiving data, the legal basis for transfers, and specific safeguards in place. Vague references to "service providers" or "business partners" are insufficient. Users must be able to understand where their data goes and why.
  • Corrective orders have teeth. Beyond financial penalties, the DPC ordered suspension of transfers and compliance measures. Organizations facing similar enforcement should anticipate operational disruption and potentially significant costs to restructure data flows.