Tiktok has six months to comply, while the Irish regulator is not ruling out an additional fine as the Chinese company deliberately lied during the proceedings. Photo: Shutterstock

Tiktok has six months to comply, while the Irish regulator is not ruling out an additional fine as the Chinese company deliberately lied during the proceedings. Photo: Shutterstock

Ireland’s data protection regulator (DPC) has imposed a record fine on Tiktok for breaches of the GDPR regarding the transparency and legality of data transfers from European users to China. The platform, which launched “Project Clover” in 2023 to move closer to European standards, has six months to comply.

A €530m fine has been imposed by the Irish Data Protection Commission (DPC) on Tiktok following an investigation into the legality and transparency of its transfers of European users’ personal data to China. This is a hefty penalty that underlines the determination of the European authorities to ensure compliance with the GDPR rules in the face of digital giants.

The DPC’s investigation looked into two separate breaches, each giving rise to a specific fine. The first €45m was imposed for failure to provide transparency on data transfers, in breach of Article 13(1)(f) of the GDPR. And the rest--€485m--was to punish transfers deemed illegal to China, in breach of Article 46(1) of the same regulation.

The first breach extends from 29 July 2020 to 1 December 2022, a period during which Tiktok’s privacy policy did not explicitly mention China as the destination of personal data, nor detail the nature of the processing, in particular remote access by employees based in China. The CPD considered the company to have rectified this shortcoming in its updated policy in December 2022.

“Tiktok’s privacy policy in 2021 did not name the third countries, including China, to which personal data was transferred,” the CPD pointed out. “Nor did it specify that the processing included remote access by staff based in China.”

It was not until December 2022 that Tiktok amended its policy to include this information, ending this period of breach.

A level of protection deemed insufficient

The heftier part of the fine, €485m, is based on a more serious finding: Tiktok has not demonstrated that data transfers to China offered a level of protection “substantially equivalent” to that guaranteed in the EU, as required by the GDPR in the absence of an adequacy decision.

“Tiktok failed to verify, guarantee and demonstrate that the personal data of European Economic Area users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” said Graham Doyle, assistant commissioner of the CPD.

Tiktok in particular did not sufficiently assess the risks associated with potential access by the Chinese authorities, in a legal framework considered incompatible with European standards. The regulator refers to Chinese laws such as the National Security Law and the Anti-Espionage Law.

The investigation also revealed that Tiktok had provided the CPD with incorrect information. Although the company claimed not to store any European user data on Chinese servers, in February 2025 it admitted that data had indeed been stored in China before being deleted. This belated U-turn could lead to new sanctions.

The CPD is ordering Tiktok to comply within six months or risk suspension of its data transfers to China, a tight deadline that could force the platform to carry out an in-depth review of its data processing and hosting practices, particularly as part of its data localisation project (known as “Project Clover”).

Project Clover: €12bn over ten years

This major initiative, launched in 2023, seeks to strengthen the security and privacy of European users’ data and provides €12bn of investment over ten years to build a more secure data infrastructure that complies with European standards.

Main objectives of Project Clover:

—Local data storage: Tiktok has committed to storing European user data by default in a dedicated European enclave, hosted in data centres located in Norway, Ireland and the United States.

—Enhanced access controls: strict security gateways are in place to ensure that employees based in China do not have access to sensitive data, such as phone numbers or IP addresses, stored in Europe.

—Independent oversight: Tiktok has engaged the NCC Group, a European cybersecurity company, to independently oversee and verify data controls and protections. The NCC Group is responsible for monitoring data flows, providing independent verification and reporting any anomalies.

—Privacy technologies: the project incorporates advanced privacy technologies, such as pseudonymisation and data aggregation, to enhance the security of personal information.

In April 2025, Tiktok announced that all buildings at its data centre in Norway, located in Hamar, are now operational. The centre plays a key role in the secure storage of data for European users.

In addition, Tiktok plans to invest €1bn to build a new data centre in Finland, adding to its European infrastructure and meeting data localisation requirements.

This article in French.

Related articles