TikTok Faces EUR530 Million Fine for Storing EU User Data in China

In a significant ruling, TikTok has been found to have illegally stored user data from the European Union on servers located in China. This violation has led the Irish Data Protection Commission (DPC) to impose a hefty fine of EUR530 million and is currently evaluating additional regulatory actions.

The controversy arose after it was revealed that the parent company of TikTok, Bytedance, misled authorities for several years regarding the location of EU users' data. In April 2025, Bytedance admitted that certain data from EU users was indeed stored on Chinese servers, contradicting their previous claims. The company reportedly only recognized this discrepancy in February 2025.

Graham Doyle, Deputy Commissioner of the DPC, emphasized the seriousness of these developments. While TikTok has stated that the data has since been deleted, the DPC, in collaboration with other EU data protection authorities, is assessing what further actions need to be taken. TikTok had consistently assured the public that data subject to the General Data Protection Regulation (GDPR) was not stored in China, claiming instead that such data was held in the USA, Singapore, and Malaysia. These assertions have now been called into question following the findings of the DPC.

The DPC has mandated that TikTok must align its data processing practices with GDPR regulations within six months of the ruling becoming effective. This includes halting any data transfers to China unless they can be demonstrated to comply with GDPR standards. Bytedance must prove that the protections afforded to data in China are equivalent to those guaranteed in the EU.

However, significant challenges loom due to the legislative framework in China, which grants the state extensive access rights under its national security laws. Experts have raised concerns about the reliability of Chinese laws in safeguarding user data, particularly in matters of national security. Therefore, the DPC indicates that only through robust technical measures could data transfers to China be compliant with EU standards.

The DPC noted that TikTok failed to adequately verify and ensure that the personal data of users from the European Economic Area (EEA), which could be accessed by employees in China, was protected to a level comparable to that of the EU. This oversight has led to potential risks regarding access by Chinese authorities to EU user data under various legal frameworks related to anti-terrorism and espionage.

In response to these findings, Bytedance has initiated 'Project Clover', aiming to store data from EU member states in secure data centers within Europe, including a new facility in Hamar, Norway, which became operational in early April. However, the DPC has clarified that merely relocating data centers is insufficient; it is equally crucial to ensure that access to the data complies with GDPR requirements.

Bytedance has expressed its view that it has been treated unfairly by the DPC. They argue that they have complied with the necessary evaluations regarding the use of standard contractual clauses for data transfers. The company maintains that there has never been a request from Chinese authorities for the data of European users and asserts that they have never transmitted any such data. Bytedance claims to have identified and reported the issue of data being sent to China to the DPC as part of their commitment to transparency and security, asserting significant investments in infrastructure to ensure data safety.