This post is also available in:
עברית (Hebrew)
The European Union has issued a €530 million ($600 million) fine against TikTok, marking one of the most substantial data privacy penalties to date under the General Data Protection Regulation (GDPR). The ruling focuses on how the platform manages and transfers personal data of EU users.
The enforcement action, led by Ireland’s Data Protection Commissioner (DPC), also includes a six-month deadline for TikTok to halt data transfers to China unless it can prove full compliance with EU data protection standards, according to Reuters. At the heart of the decision is the platform’s failure to ensure that user data—especially when accessed or processed by personnel outside the EU—is protected at a level consistent with European legal requirements.
According to the DPC, TikTok did not adequately mitigate the risks posed by Chinese national security laws, which could potentially require data disclosure to authorities. Although TikTok has stated that it has never provided EU user data to the Chinese government, the platform was unable to guarantee that such data is safeguarded from unlawful access.
TikTok claims it has implemented a range of protective measures, including localized data storage in Europe and the United States, along with independent monitoring of data access. The company says these security improvements, rolled out in 2023, were not sufficiently taken into account by regulators and plans to appeal the decision.
The DPC’s concerns were further heightened after TikTok disclosed that some EU user data had, contrary to prior statements, been stored in China—a situation since corrected, according to the platform.
This is not TikTok’s first GDPR-related violation. The company was fined €345 million in 2023 for mishandling children’s data. The latest action reflects the EU’s growing resolve to enforce strict data privacy rules—particularly when foreign data access is involved.
