Advertisers might be clamouring to hand their budgets to TikTok but its data protection record has been battered once more following a €530m (£452m) fine for yet another breach of GDPR, which pushes its total penalties under the privacy legislation to close to €1bn (£850m) in Europe alone.
The latest fine follows an investigation by the Irish Data Protection Commission which found the Chinese-owned video-sharing app had failed to guarantee that European user data sent to China would not be accessed by the Chinese government.
The Irish DPC, which regulates TikTok across the European Economic Area (EEA), had already whacked TikTok with a €345m (£269m) penalty over the illegal processing of youngsters’ personal data in September 2023. This followed a £12.7m fine issued by the UK Information Commissioner’s Office in April of the same year.
The Irish DPC said: “TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counterespionage and other laws identified by TikTok as materially diverging from EU standards.”
The company also failed to “verify, guarantee and demonstrate” that European user data sent to China was offered a level of protection equivalent to that guaranteed within the EU, the ruling added.
TikTok insisted the Irish DPC had made “no finding” that it shared European user data with Chinese authorities. It said it had never received a request for user data from Chinese authorities, or provided user data to them. However, the company has been ordered to suspend data transfers to China if its processing is not brought into compliance within six months.
TikTok, which said it would appeal against the ruling, insists it now has safeguards in place under its Project Clover data security scheme, which was announced in March 2023. The DPC investigation covered a period from September 2021 to May 2023.
Even so, there could be more regulatory action to follow.
Throughout the inquiry, TikTok informed the regulator that it did not store EEA user data on servers located in China. However, in April 2025, TikTok informed the Irish DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the inquiry.
Irish DPC deputy commissioner Graham Doyle said: “The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU data protection authorities.”
Meanwhile, the UK ICO recently revealed it has launched a new investigation into TikTok – as well as Reddit and Imgur – as part of a wider probe into how social media platforms protect the privacy of their child users in the UK.
The move comes amid growing concerns over young people being served inappropriate or harmful content, with the investigation into TikTok considering how the platform uses personal information of 13- to 17-year-olds in the UK to make recommendations to them and deliver suggested content to their feeds.
Related stories
Three-pronged probe into abuse of children’s privacy
TikTok beefs up parental controls and ties with adland
TikTok insists ‘we’ve changed’ following €345m EU fine
TikTok whacked with £12.7m fine for UK privacy failings
‘Super-regulator’ puts TikTok, AI and adtech on notice
TikTok in the dock again as privacy complaints mount
Be the first to comment on "TikTok whacked once again as privacy fines near €1bn"