TikTok, the leading short-form video platform globally, has been slapped with a hefty fine of €530 million (around $600 million) for improperly transferring European user data to servers in China. This move violates the European Union’s General Data Protection Regulation (GDPR), as concluded by Ireland’s Data Protection Commission (DPC). The DPC highlighted that TikTok did not ensure the level of data protection required by European standards when it sent information to China, sparking concerns about potential access by Chinese authorities due to national laws related to anti-terrorism and anti-espionage.

Out of the total fine, €485 million was designated for the unauthorized data transfers, while an additional €45 million pertains to TikTok’s insufficient explanation of these transfers in its privacy policy. Although the company updated its policy in 2022 and was deemed compliant by the court, this was not enough to mitigate the DPC’s concerns. Parent company ByteDance had previously announced a €12 billion investment in EU data centers, but the DPC found these measures inadequate.

During the investigation, TikTok claimed it did not store user data on Chinese servers, asserting that any access from its Chinese branch was remote. However, in April, the company revealed it had found a small amount of European data stored in China and subsequently deleted it. DPC Deputy Commissioner Graham Doyle indicated that further regulatory measures might follow this breach, potentially influencing the significant fine imposed.

This fine is now the third-largest issued under the GDPR, following vast penalties against Meta (€1.2 billion) and Amazon (€746 million). TikTok was already penalized $367 million in 2023 for mishandling children’s data. The company has six months to align its data processing with European regulations, or it could face even steeper penalties.

There remains the option for TikTok to appeal the decision.