Video-sharing app TikTok has confirmed it plans to appeal a €530 million fine handed down by the Irish Data Protection Commission over the transfer of the personal data of European users to China.
The DPC has also said it had been provided with inaccurate information by the Chinese-owned platform.
Throughout the investigation, TikTok told the DPC that it did not store European user data on servers located in China.
However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited European user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the inquiry.
“TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the inquiry,” the DPC said.
In a statement, Christine Grahn, TikTok’s Head of Public Policy & Government Relations in Europe, said the company disagreed with the decision and that it planned to appeal “in full”.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
The investigation into TikTok was launched in September 2021 to examine the lawfulness of the platform’s transfers of personal data of users in the European Economic Area to China.
The Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, found that TikTok had infringed the General Data Protection Regulation because it failed to verify, guarantee and demonstrate that the personal data of European users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
As well as the €530mn fine, the decision includes an order requiring TikTok to bring its data processing into compliance within six months.
The ruling also includes an order suspending TikTok’s data transfers to China if processing is not brought into compliance within this timeframe.
“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” said DPC Deputy Commissioner Graham Doyle.
“The DPC is taking recent developments regarding the storage of EEA user data on servers in China very seriously,” Mr Doyle said.
“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” he added.
TikTok said it disagrees with the decision and intends to appeal it in full.
“The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them,” Ms Grahn said.
Project Clover
In March 2023 TikTok announced ‘Project Clover’, a plan to address to concerns about data security.
It involves European user information being stored at two data centres in Dublin and at a third centre in Norway.
In its response today, TikTok said the DPC had failed to fully consider these considerable data security measures.
“The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm,” Ms Grahn said.
In its ruling today, the DPC said it considered the ongoing changes brought about under Project Clover.
“Notwithstanding these changes, the DPC found that it is appropriate, necessary and proportionate to order the suspension of the data transfers and to order TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of six months from the period allowed for an appeal against the DPC’s final Decision,” the DPC said.
The DPC submitted a draft decision to its fellow European data watchdogs in February and no objections were raised.
