South Africa, May 13 -- The violation

TikTok admitted in April 2025 that European user data was stored on Chinese servers, contradicting earlier statements to Irish regulators. This breach eroded trust and fuelled the DPC's decision.

Stated DPC Deputy Commissioner Graham Doyle:

The company neglected to assess risks posed by Chinese national security laws, which grant Chinese authorities broad data access.

Beyond the fine

The DPC has ordered TikTok to comply with GDPR within six months or face a potential suspension of data transfers to China, which could disrupt operations.

This case underscores tensions between global tech operations and regional privacy laws, particularly when those operations span jurisdictions with fundamentally...