Privacy and Data Protection Tracker

Fines Issued by DPAs benchmark updated to include the €530m (£450m) penalty imposed on TikTok for infringements of the GDPR

We have updated our Fines Issued by DPAs benchmark within our Privacy and Data Protection Tracker to include the €530m (£450m) fine imposed on TikTok by Ireland’s Data Protection Commission (DPC). On 2 May 2025, the DPC concluded an inquiry into the lawfulness of TikTok's transfers of the personal data of EEA users to China, determining that the platform infringed the GDPR through its overseas transfers of this data (despite the ongoing changes brought about under "Project Clover") and by not meeting its transparency requirements under the act. 

According to our benchmark, this is the largest fine imposed on TikTok to date by any data protection regulator, eclipsing the €345m (£296m) sanction issued by the DPC in September 2023 after finding that the platform had failed to provide sufficient transparency information to younger users and implemented ‘dark patterns' by nudging users towards more privacy-intrusive options during the registration process. It is the third largest penalty handed out to a telecoms or tech company by authorities for a breach of the GDPR (after Meta and Amazon), but the fourth biggest fine overall, with Facebook’s $5bn (£3.7bn) fine over the Cambridge Scandal claiming top spot by some margin.

This latest fine is also not the most significant privacy-related penalty handed out by the DPC. Its record €1.2bn (£1.04bn) fine of Meta in May 2023 over EU-US data flows accounts for 30% of the total it has issued. In fact, Meta and its subsidiaries (Instagram and WhatsApp) have received the majority of financial penalties imposed under the GDPR by the DPC, which has found itself as the de facto primary enforcer of the regime given that Ireland is home to the European headquarters of many large tech firms.