€530m TikTok fine highlights the importance of effective international data transfer mechanisms

The question

What were the missing compliance elements in TikTok's international data transfers to China and why did these result in such a significant fine?

The key takeaway

Data protection laws, regulations and case law in the EU impose stringent requirements on the transfer of personal data from the EU to third countries that are not deemed to offer an adequate level of data protection, including China. Organisations who do not comply with these rules, particularly in relation to the appropriate use of data transfer mechanisms, may face substantial financial penalties from EU data protection authorities. This includes intra-group data transfer arrangements, which should be subject to regular reviews to confirm compliance, as well as transparency within privacy policies over third country destinations for user data.

The background

Under the EU GDPR, personal data may only be transferred outside the European Economic Area (EEA) if the European Commission has determined that the third country provides an adequate level of data protection (an Adequacy Decision), or if appropriate safeguards are in place to protect personal data. Where no Adequacy Decision exists between the EU and that third country, the transfers can only occur if appropriate safeguards are in place, to sufficiently protect data that is subject to the EU GDPR. One potential safeguard is the implementation of standard contractual clauses (SCCs) and associated transfer impact assessments. This places the responsibility on the data controller to verify, guarantee and demonstrate that the law and practices of the third country guarantee a level of protection essentially equivalent to that within the EU.

The development

On 2 May 2025, the Irish Data Protection Commission (DPC) announced a €530m fine against TikTok Technology Limited (TikTok) following an inquiry into the transfer of EEA user data to China. The investigation concluded that TikTok had violated key provisions of the EU GDPR, particularly regarding international data transfers and transparency obligations. The primary violation related to TikTok’s failure to verify, ensure and demonstrate that the personal data of users subject to the EU GDPR, which was remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result, the data transfer constituted a breach of Article 46(1) EU GDPR.

In addition, the DPC found that TikTok’s 2021 Privacy Policy lacked clarity and transparency. Specifically, it failed to identify China and other third countries as destinations to which personal data would be transferred and did not adequately describe the nature of the processing activities. This omission constituted a further violation of the EU GDPR’s transparency requirements (Article 13(1)(f) EU GDPR), resulting in an additional fine.

As a result, the DPC imposed administrative fines totalling €530m in this decision, consisting of a fine of €45m for TikTok's infringement of Article 13(1)(f) EU GDPR, and a fine of €485m for its infringement of Article 46(1) EU GDPR.

The key takeaways from the DPC’s investigation are that:

• when transferring personal data outside the EEA, a data controller needs to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within the EU, implementing appropriate safeguards to ensure this is the case;
• Chinese laws including its Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law standards do not offer the same level of protection as EU standards;
• when a data controller is planning to transfer personal data outside the EEA, its privacy policy should name the third countries to which data will be transferred and specify what the processing will include.

On 6 May 2025 TikTok issued a statement saying that they will appeal the fine as:

• the DPC's decisions failed to consider TikTok's industry-leading data security initiative (Project Clover); and
• TikTok never provided any European user data to Chinese authorities, nor was it ever requested to do so.

Why is this important?

The DPC's decision demonstrates that European regulators are willing and able to investigate complaints from data subjects regarding international data transfers and, where necessary, impose substantial financial penalties on entities found to be in breach of the EU GDPR. 

This case also emphasises the critical importance of transparency in data processing, acting as a reminder that organisations must clearly inform data subjects in their fair processing information about any transfers of personal data to third countries.

As seen in TikTok's case and previously in a fine issued against Uber (see our Autumn 2024 edition of Snapshots), the financial penalties imposed for breaches of the EU GDPR can be significant, with supervisory authorities having the power to impose fines of up to €20m or four per cent of an entity's total worldwide annual turnover, whichever is the greater.

Any practical tips?

Organisations with operations that are caught by the EU GDPR should take great care when transferring personal data to countries outside of the EU, including where these data transfers are on an intra-group basis. It is always advisable to review all contracts involving data transfers and ensure that fair processing information circulated to data subjects is up to date and in line with legal and regulatory requirements. Keeping an eye on how effectively your privacy policies do this from a transparency perspective is an essential part of this process.