TikTok receives record €530 million fine — data transfers to China under scrutiny
The largest fine of 2025
In April 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million for violating GDPR rules on international personal data transfers. It is the highest individual fine of 2025 and the first major enforcement case concerning data transfers to China.
The DPC found that TikTok illegally transferred European users' personal data to servers in China without ensuring an adequate level of protection. China is not a country with an adequacy decision — and TikTok failed to demonstrate that the safeguards used met GDPR requirements.
Context: data transfers to third countries
Since the invalidation of Privacy Shield (Schrems II, 2020), companies transferring data outside the EU/EEA must use Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other safeguards. They must also conduct a Transfer Impact Assessment proving that the destination country provides a comparable level of protection.
For China, this assessment is particularly problematic. Chinese cybersecurity and national security laws grant state authorities access to data without a court order — directly contradicting GDPR requirements for protection against mass surveillance.
Why this isn't just TikTok's problem
The TikTok fine sets a precedent, but the data transfer problem affects any company using:
- Analytics tools with servers outside the EU (certain Google Analytics configurations, Meta Pixel)
- Cloud services with data centers in third countries
- SaaS platforms processing data on servers outside the EEA
- CDN and ad networks transferring user data to the US or Asia
Total fine volume in 2025
TikTok was not alone. The year 2025 saw fines totaling approximately €1.2 billion:
| Company | Fine | Reason |
|---|---|---|
| TikTok | €530M | Data transfers to China |
| Meta | €479M | Unlawful processing of user data |
| €200M | Gmail ads without consent | |
| SHEIN | €150M | Cookies without valid consent |
France led in total fine volume (€486.8M), followed by Spain (€45.2M) and Italy (€15M).
Lessons for businesses
Even small and medium companies transfer data to third countries — often unknowingly. Google Analytics, Facebook Pixel, Hotjar, Intercom — each of these tools may constitute a data transfer outside the EU.
What to check:
- Where is your data processed? Find out where your third-party tools send user data.
- Do you have valid SCCs? Standard Contractual Clauses must be the current version (2021) and supplemented with a Transfer Impact Assessment.
- Is consent properly configured? If you use tools that transfer data to third countries, users must be informed and must grant specific consent.
How Waulter helps
Waulter CMP automatically scans websites and identifies external services and scripts — including those that transfer data outside the EU. The crawler analyzes network traffic (HAR files) and detects where data flows. The result is a clear report showing:
- Which third parties collect data on your website
- Which countries the data goes to
- Whether these transfers are covered by consent
This forms the basis for a Transfer Impact Assessment and for configuring granular consent scenarios.
Sources: DPC TikTok decision (April 2025), CNIL Google/SHEIN decisions (2025), TechCentral.ie — GDPR fines overview 2025