The Data Protection Commission (DPC) of Ireland has fined TikTok €530 million (nearly $600 million) for failing to protect European user data from potential access by Chinese authorities and for submitting inaccurate information during the investigation.
The penalty follows a formal probe into the company’s cross-border data transfers from the European Economic Area (EEA) to China. The DPC concluded that TikTok failed to implement sufficient safeguards to prevent Chinese state access and did not clarify how it protected user data from Chinese counterespionage and anti-terror laws.
The DPC confirmed that TikTok employees in China had remote access to EEA user data, which the company failed to fully disclose. TikTok initially claimed that no EEA data was stored in China, but later admitted that a limited amount of such data was stored there. The regulator found this to be a serious breach of transparency under the EU’s General Data Protection Regulation (GDPR).
TikTok, owned by Chinese tech firm ByteDance, denied sharing data with Chinese authorities and said it has never received or complied with any such request. The company maintains that it is continuing to improve its data governance and security practices.
The ruling adds to growing international scrutiny of TikTok’s data handling practices. Lawmakers in both the US and Europe have expressed ongoing concerns that the app could be forced to share user information with the Chinese government.
With this latest enforcement action, the DPC signals it may pursue further regulatory steps in response to TikTok’s previous inaccuracies and the unresolved risks surrounding foreign data access.