TikTok Penalized €530 Million for Transferring Data to China

The Irish Data Protection Commission (DPC) has levied a fine of 530 million euros against TikTok, citing major violations of the General Data Protection Regulation (GDPR). The hefty penalty is a direct result of the platform’s mishandling of European user data, which was stored on servers in China without proper disclosure regarding the data transfers.

This fine, equivalent to nearly $600 million, highlights TikTok’s failure to adhere to European privacy laws between July 2020 and November 2022. Under the GDPR, organizations are required to formally communicate to users about any data sent to third-party nations and to ensure that sufficient privacy protections are in place prior to such transfers.

The DPC’s findings also revealed that TikTok provided misleading information during the investigation. Despite claiming it had ceased data transfers to China, the company later admitted to retaining “limited” European user information on its Chinese servers. As part of the ruling, TikTok has been granted six months to modify its data management practices to align with European legal standards.

Graham Doyle, Deputy Commissioner of the DPC, indicated that TikTok’s data operations breached GDPR stipulations, particularly concerning the safeguarding of personal data accessed by personnel located in China. This failure underscores potential areas of concern within the MITRE ATT&CK framework, including tactics related to initial access and data exfiltration, as well as issues surrounding persistence and privilege escalation in managing sensitive user data.

The DPC further disclosed that regulatory scrutiny on TikTok is ongoing, hinting at possible future actions against the platform. TikTok has informed authorities that it removed the flagged data stored on Chinese servers. Additionally, the company has evolved its data storage strategies—initially moving to centers in Singapore and the U.S., it now claims European data is housed in specific data centers in Norway, Ireland, and the U.S.

In an attempt to mitigate privacy concerns, TikTok has announced an ambitious plan to invest 12 billion euros over a decade to bolster data security for its European users, named “Project Clover.” Current reports indicate that TikTok is also working on establishing a new data center in Finland, with an investment of 1 billion euros.

In 2023, Irish regulators had previously penalized TikTok with a fine of 345 million euros for allowing young users to create accounts that were publicly accessible by default and for pairing child accounts with unverified adult users. Furthermore, the U.K. data protection agency imposed a fine of 12.7 million pounds due to similar privacy concerns involving children’s data protection.

The looming regulatory challenges are compounded by paranoia surrounding TikTok’s ties to its parent company, Beijing-based ByteDance. This has sparked widespread concerns in Europe and North America, leading to governmental bans on the application for official device use. In the U.S., Congress enacted legislation in 2024 aimed at banning TikTok out of fear that data collected by ByteDance could pose national security threats. The Trump administration has since postponed enforcement of this law, with a new deadline for ByteDance’s divestment set for June 19.