GDPR: Irish regulator fines TikTok €530m

Ireland’s Data Protection Commission fined TikTok €530m for GDPR breaches, citing data transfers to China and transparency failures. This brings the value of fines levied by Ireland since 2020 to almost €4Bn. TikTok plans to appeal.

The key points: Ireland’s Data Protection Commission fined TikTok €530 million for transferring EU user data to China without proper safeguards and for failing to be transparent about its data practices. The Irish regulator also found that TikTok failed to be transparent about its data practices. For almost four years, TikTok did not tell the regulator that some EU users’ personal data was stored on servers in China. This only became known after the DPC had completed its investigation. Under GDPR, companies must not only protect personal data but also be open about where it is stored and who has access to it. This includes employee data.

Why this matters: The case demonstrates the Irish DPC’s willingness to enforce GDPR robustly. It also brings the total value of fines handed down by the DPC, since the start of 2020, to almost €4 billion. An Oct 2024 FOI (freedom of information) request suggested that many of these fines remain uncollected due to ongoing appeals etc. 

What might happen next: TikTok plans to appeal the fine and claims to have improved data security for European users through its €12 billion “Project Clover.” TikTok statement