TikTok's privacy mess just got way more expensive

TikTok's rocky ride with Western governments isn't slowing down. While all eyes are on its uncertain future in the US over national security concerns, the app is now facing new heat in the European Union. After years of being accused of potentially exposing personal data to China, the pressure is mounting once again.
The EU has just hit the platform with a big €530 million fine (around $600 million when directly converted) after a long-running investigation found that TikTok's data transfers to China violated strict EU privacy rules.
Ireland's Data Protection Commission (DPC), which oversees TikTok in the EU since its European HQ is in Dublin, said the app wasn't transparent enough about where user data was being sent and didn't do enough to protect it from access by Chinese staff. TikTok has six months to fix the issues.
TikTok isn't backing down, though. The company said it plans to appeal, arguing that the ruling ignores its new €12 billion data protection initiative, Project Clover. That includes building three data centers in Europe and putting stronger controls in place since May 2023.
TikTok also said it has never been asked by Chinese authorities to hand over European user data – and it never has.
This is actually TikTok's second big fine from the DPC. In 2023, it got slapped with a €345 million penalty over how it handled kids' data. The DPC has also taken action against other tech giants under the EU's GDPR rules, which let regulators fine companies up to 4% of their global revenue.
For example, just last year,
Ireland's Data Protection Commission went after Twitter International, the Irish arm of X, over concerns about how the platform handles personal data from millions of European users.
Meta also got hit with a hefty fine of around $250 million for a data breach, and LinkedIn wasn't spared either – facing a €310 million (about $334 million when directly converted) penalty after the DPC found it misused user data for targeted ads through behavioral analysis.
Ireland's Data Protection Commission (DPC), which oversees TikTok in the EU since its European HQ is in Dublin, said the app wasn't transparent enough about where user data was being sent and didn't do enough to protect it from access by Chinese staff. TikTok has six months to fix the issues.
TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
– Deputy Commissioner Graham Doyle, May 2025
The decision fails to fully consider Project Clover, our €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere. It instead focuses on a select period from years ago, prior to Clover's 2023 implementation and does not reflect the safeguards now in place.
–Christine Grahn, Head of Public Policy & Government Relations - Europe, May 2025
(TikTok) has never provided European user data to them [the Chinese authorities]. We disagree with this decision and intend to appeal it in full.
– Christine Grahn, Head of Public Policy & Government Relations - Europe, May 2025
Meta also got hit with a hefty fine of around $250 million for a data breach, and LinkedIn wasn't spared either – facing a €310 million (about $334 million when directly converted) penalty after the DPC found it misused user data for targeted ads through behavioral analysis.
Things that are NOT allowed: