Back to news

TikTok receives record €530 million fine — data transfers to China under scrutiny

· Waulter team
TikTok GDPR fines data transfers China DPC third countries

The largest fine of 2025

In April 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million for violating GDPR rules on international personal data transfers. It is the highest individual fine of 2025 and the first major enforcement case concerning data transfers to China.

The DPC found that TikTok illegally transferred European users' personal data to servers in China without ensuring an adequate level of protection. China is not a country with an adequacy decision — and TikTok failed to demonstrate that the safeguards used met GDPR requirements.

Context: data transfers to third countries

Since the invalidation of Privacy Shield (Schrems II, 2020), companies transferring data outside the EU/EEA must use Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other safeguards. They must also conduct a Transfer Impact Assessment proving that the destination country provides a comparable level of protection.

For China, this assessment is particularly problematic. Chinese cybersecurity and national security laws grant state authorities access to data without a court order — directly contradicting GDPR requirements for protection against mass surveillance.

Why this isn't just TikTok's problem

The TikTok fine sets a precedent, but the data transfer problem affects any company using:

  • Analytics tools with servers outside the EU (certain Google Analytics configurations, Meta Pixel)
  • Cloud services with data centers in third countries
  • SaaS platforms processing data on servers outside the EEA
  • CDN and ad networks transferring user data to the US or Asia

Total fine volume in 2025

TikTok was not alone. The year 2025 saw fines totaling approximately €1.2 billion:

Company Fine Reason
TikTok€530MData transfers to China
Meta€479MUnlawful processing of user data
Google€200MGmail ads without consent
SHEIN€150MCookies without valid consent

France led in total fine volume (€486.8M), followed by Spain (€45.2M) and Italy (€15M).

Lessons for businesses

Even small and medium companies transfer data to third countries — often unknowingly. Google Analytics, Facebook Pixel, Hotjar, Intercom — each of these tools may constitute a data transfer outside the EU.

What to check:

  1. Where is your data processed? Find out where your third-party tools send user data.
  2. Do you have valid SCCs? Standard Contractual Clauses must be the current version (2021) and supplemented with a Transfer Impact Assessment.
  3. Is consent properly configured? If you use tools that transfer data to third countries, users must be informed and must grant specific consent.

How Waulter helps

Waulter CMP automatically scans websites and identifies external services and scripts — including those that transfer data outside the EU. The crawler analyzes network traffic (HAR files) and detects where data flows. The result is a clear report showing:

  • Which third parties collect data on your website
  • Which countries the data goes to
  • Whether these transfers are covered by consent

This forms the basis for a Transfer Impact Assessment and for configuring granular consent scenarios.


Sources: DPC TikTok decision (April 2025), CNIL Google/SHEIN decisions (2025), TechCentral.ie — GDPR fines overview 2025

Want to keep consent under control?

Waulter CMP helps you with consent management, GDPR compliance, and cookie banner optimization.