TikTok has confirmed it will appeal a €530 million fine imposed by Ireland’s Data Protection Commission (DPC) over the unauthorised transfer and storage of European user data on servers in China, in breach of EU privacy laws.
The Chinese-owned video-sharing platform acknowledged in April 2025 that it had discovered a breach earlier in February, where limited user data from the European Economic Area (EEA) was stored in China. This contradicted the company’s previous assurances during a multi-year DPC investigation, which began in September 2021.
The DPC found TikTok in violation of the EU’s General Data Protection Regulation (GDPR), specifically for failing to ensure that the personal data of European users accessed by staff in China received protections equivalent to those guaranteed within the EU.
The Commission’s ruling includes more than just the financial penalty. TikTok has been ordered to bring its data processing practices into compliance within six months. If the company fails to do so, the DPC has mandated a suspension of all data transfers from the EU to China.
Graham Doyle, Deputy Commissioner of the DPC, stated the breach raises serious concerns. “TikTok’s failure to undertake necessary assessments meant it did not sufficiently address the potential access by Chinese authorities to EEA data, especially under laws that diverge significantly from EU standards,” he said.
Despite TikTok’s claims that it has never received nor complied with any data access requests from Chinese authorities, the DPC said the company provided inaccurate information during the inquiry process. TikTok has since deleted the data in question, but further regulatory action is under consideration, the Commission said.
In response, TikTok’s Head of Public Policy and Government Relations in Europe, Christine Grahn, said the company “strongly disagrees” with the decision and plans to challenge it fully through legal channels.
TikTok pointed to its ongoing “Project Clover” initiative, launched in 2023, as evidence of its commitment to improving data security. The project involves storing European user data in three localised data centres — two in Dublin and one in Norway — with oversight from independent cybersecurity firm NCC Group.
However, the DPC ruled that while it considered these measures, they were not sufficient to prevent the penalty or halt the enforcement actions.
The DPC submitted its draft decision to other EU data authorities in February 2025, and no objections were raised, clearing the way for today’s final ruling.
