Irish privacy watchdog hits TikTok with €530M fine over data transfers to China
226 comments
·May 2, 2025prof-dr-ir
lolinder
To hurt enough to be worth changing the fines don't have to be a fraction of their global revenue, they have to be significantly more than the benefit gained from the illegal behavior. According to that article TikTok made $10B of that $20B in the US alone, which puts a cap on their European revenue of $10B (likely significantly less because this ignores Brazil and Indonesia, which according to the linked article are its largest markets by user count).
€530m is ~$600m, so this fine is at least 6% of their relevant 2024 revenue, and likely substantially higher. I don't know enough about their business practices to know if that's a big enough chunk to make up for what they gain by cheating, but it's definitely not a wrist slap.
lukeschlather
The thing is, TikTok is not accused of directly profiting off of this, they are accused of operating as part of the Chinese espionage apparatus. Assuming that this is the case, TikTok is going to be happy to continue paying fines as long as they break even worldwide. And the US is making no serious attempts to rein in this sort of behavior so they've got all that US profit to use.
vkou
So the thing about fines for non-compliance is that they only have one direction to go if you don't comply.
TechDebtDevin
I've still yet to see any evidence that TikTok is anymore of a spying/espionage tool than your average app on any device. But I guess if people just keep repeating that It will make it true.
Never mind, I forgot, Western Intelligence orgs are trusted sources of truth and definitely wouldn't spy on me or lie to me. My Bad!
null
PurpleRamen
> 'massive' -- by which standards?
Other fines? Going by amount, it seems somewhere in the top 20 of highest single case fines of all time. Top 3 if we just look at privacy fines in Europe.
> It is high time we got used to companies being fined a reasonable fraction of their revenue
How does "getting used to it" changes the classification? It's still a massive amount, even it such numbers are becoming more common. And especially as they should not become common.
Rygian
The point being that the actual absolute amount should not get as much attention as the percentage of revenue it represents.
PeterStuer
If I have 100M€ in revenue with a 60% margin, a 6% revenue fine while not negliable can be brushed off as the price of doing business. If I have 100M€ revenue with a 2% margin, a 6% fine might mean bankruptcy.
null
crazygringo
Just a nitpick -- a fraction of their profit (net income), not revenue. Most of revenue already goes out the door as expenses. If you fined as a reasonable fraction of revenue, you'd simply bankrupt a corporation, which is not what you want if your goal is to change behavior.
If global revenue is $20B and we assume 20% profitability, that's $4B, and so this fine is 15% of global profit.
That's a gigantic fine.
You also have to remember that tons of these regulations are vague and unclear and massively open to interpretation, and that companies can genuinely believe they are complying, and their lawyers agree, but then judges still rule otherwise, because it's ultimately just a matter of opinion because of the vagueness.
You also have to remember that individual countries fining on global revenue runs the risk of fines "duplicating" each other for the same or similar behavior, again bankrupting a corporation when the goal should be to change behavior.
Macha
> Just a nitpick -- a fraction of their profit (net income), not revenue. Most of revenue already goes out the door as expenses. If you fined as a reasonable fraction of revenue, you'd simply bankrupt a corporation, which is not what you want if your goal is to change behavior.
Nah, hollywood accounting is alive and well in tech. Especially in Ireland, where plenty of tech companies are being "charged" slightly absurd fees for services or trademark licenses by subsidiaries or parents in other countries to avoid making a profit on their tax filings.
crazygringo
No -- there's no such thing as Hollywood accounting in tech at the global level.
Yes you can certainly shift things around at the country level. But when you add up all the subsidiaries together in the single global corporation (the publicly traded one when it exists), the numbers are the numbers. Income minus expenses is a single, stable number that you can't fudge.
gaiagraphia
The internal operations of a company shoud be irrelevant to nations.
If a company is taking £billion out of a nation's spending power, and doing so with nefarious practices, that's what should be fined.
If bankruptcy is a worry, then comapnies shouldn't fly so close to the sun when adopting immoral practices.
Income is the only reliable thing you can tax. Trying to calculate profit for international companies is an absolute joke which is massively inefficient. Why an Earth should governments employ entire teams to second guess internal bookkeeping?
If you want to take a billion from a nation's citizens, better be sure you're providing a legal service. I mean, are drug dealers punished on profit?
crazygringo
Nothing of what you're saying makes any sense.
> Income is the only reliable thing you can tax.
Then why does every country on earth tax corporate profit, not income?
> Why an Earth should governments employ entire teams to second guess internal bookkeeping?
Because that's how you make sure companies pay their taxes? Because it's a net gain to employ those teams because they find much more tax cheating than it costs to employ them?
> If a company is taking £billion out of a nation's spending power
Companies don't. They take cash and in return provide services that are even more valuable. The entire idea of free trade is that it's positive-sum for all.
GeoAtreides
>You also have to remember that tons of these regulations are vague and unclear and massively open to interpretation, and that companies can genuinely believe they are complying, and their lawyers agree, but then judges still rule otherwise, because it's ultimately just a matter of opinion because of the vagueness.
This is the equivalent of the famous Babbage anecdote, but for the law. That's absolutely not how the law or regulatory compliance works, not in Europe at least.
crazygringo
...but it absolutely is? Why do you think fines get appealed, and companies often win on appeal?
If there weren't vagueness and shades of gray, then appeals courts would barely need to exist.
ta1243
When you get a fine in Europe it tends to be related to your income. Not your income after your expenses, your actual income.
Finland for example will fine you 100k for speeding if your income is high enough. In the UK fines range from 50% of your weekly income (band A) to 600% of your weekly income. Someone on £500 a week income and spending that on housing, food etc, could pay £3k. Someone with the same offence on £50k a week would be fined £300k.
crazygringo
Well, individuals and corporations are different.
Individuals are also taxed on all their income, whereas corporations are taxed only on their profit.
Corporations are effectively intermediaries in production chains. Profit is the only meaningful metric, how much value do they add. Individuals are at the "end" of the chain, how much value do they consume.
The proper analogy of a fine being based on income for an individual, is for a fine being based on profit for a corporation.
ipaddr
Someone unemployed speeding to a job interview gets a pass? That seems like a big loop hole.
lmkg
> You also have to remember that individual countries fining on global revenue runs the risk of fines "duplicating" each other for the same or similar behavior, again bankrupting a corporation when the goal should be to change behavior.
This is explicitly not a concern under GDPR. The "one-stop shop" mechanism means that all issues across the EU get funneled to the lead supervisory authority, which is always Ireland because that's where EU subsidiaries are headquarters for tax purposes.
gundmc
Yes, but there are countries outside of the EU who may also decide to fine based on global revenue.
lupusreal
Doing anything by fractions of profit is an invitation for Hollywood accounting. "Oops we have no profit because we have accountants who's job it is to shuffle money around in circles until everybody gets confused and gives up."
> simply bankrupt a corporation, which is not what you want if your goal is to change behavior.
Yes it is. Nuke the corporation and burn all the investors. This will teach a lesson.
crazygringo
No it's not.
The goal of punishment is correction of behavior, not destruction.
By your logic, we ought to apply the death penalty for stealing a candy bar. Because that will teach a lesson too, no?
observationist
This is wrong, and even revenue isn't sufficient - you want to fine a sizeable fraction of the total value of all assets of the company based on the scope, duration, and severity of the violation.
Companies don't protect user data. They store, silo, and secure user data for as little cost as possible. No meaningful consequences means they will continue to harvest and disperse user data at an increasing rate until we get serious about requiring responsible practices and accountability.
The risk of being bankrupted is what will keep a corporation behaving well.
Penalties should be fatal to a corporation. If Microsoft or some random new startup had to follow the same regulations and protect user data to some bare minimum standard, and we apply the same degree of penalty, rather than some arbitrarily large fine which the mega corps are happy to pay, we can affect behavior.
The big companies have teams of lawyers who effectively (and sometimes explicitly) collude with the beancounters and MBAs to enshittify their products and services and milk every last drop of revenue, even exploiting the data of non-customers who just happened to encounter some peripheral surveillance apparatus.
We need to protect individual data privacy and restrict anything except informed consensual tracking. We need to mandate ephemerality and basic security standards. We need to make violations of these regulations lethal to a company, and impose mandatory minimum jail time for c-suite offenders.
Anything short of this results in overt, blatant, repeated violations of the laws by the big companies because they're happy to pay $5m or even $50m if it means they extract $500m more revenue and lock out any potential disruptive competition.
This would effectively mean that giant platforms which cannot responsibly store and manage user data would not be able to continue operation at the scale they're at. It would mean fragmentation and decentralization of various services, disincentivizing monopoly, improving market health, driving product and service progress.
Without harsh and extreme consequences that are as meaningfully painful to FAANG sized megacorps as they are to a one man startup, the problems won't ever be resolved. FAANG and tech outpaced regulation, resulting in effectively the total pwnage of data for more or less every living human on the planet. This is unacceptable, and the only way it changes is for the US to drop the hammer on the exploitive and irresponsible practices that led us here.
Let these asshats go bankrupt. We don't need Meta or Alphabet or Amazon. They're not entitled to screw the world for profit. If they can't operate ethically and responsibly, then they shouldn't be allowed to operate at all.
linkregister
This is an incomplete understanding of the stakeholders in these rulings.
1. The goal of the fines is to act as a deterrent and to encourage companies to get back into compliance.
2. The arbiters aren't operating in a vacuum. Bankrupting services that the citizens of a country rely on is unpopular and not in service of goal #1.
3. We know that this is the case because Uber and other ride sharing services were able to violate the law and convince voters to have the law changed to permit these services.
4. Fines impacting net revenue are dealt with seriously by companies when they are adequately large, e.g. 10% of net revenue. Compliance departments are not funded as a job creation or charity exercise. When companies report earnings, these fines frequently determine whether earnings guidance is achieved. This impacts company officers' compensation.
tl;dr, you passionately believe in these views, but it is not one held by the majority. Your minority view should not be the basis of public policy.
ta1243
> Let these asshats go bankrupt.
No need to go bankrupt, just force-issue more shares, diluting the existing shareholders. These are then sold on the open market and the revenue goes to paying the fine.
Only if the share price drops to zero does the company then go bankrupt.
tlb
Worse than the small amount is the length of time it took. If you accept the accusations at face value, China has been spying on a large fraction of EU citizens for 4 years and can keep doing it for another 6 months (after which they probably won't actually stop) for the eventual fine of a few dollars per victim. The US isn't moving any faster, and most other countries aren't moving at all.
So the end result is that potentially hostile countries can run vast spying operations for a long time with no major consequences. As long as they do it with funny videos with annoying soundtracks.
hbarka
Does Meta or X get the same scrutiny or is this the China bogeyman?
Macha
Yes: https://edition.cnn.com/2025/04/23/tech/european-union-apple...
Meta has had multiple rounds of €xxxM fines already from the EU.
input_sh
X is rumored to be hit with a billion dollar fine soon(ish), so yes: https://www.nytimes.com/2025/04/03/technology/eu-penalties-x...
ipaddr
An American company following the laws does not get the scrutiny that another company working with a hostile government to eliminate your way of life does. Why would they? Are they somehow equal because they both can be downloaded in the social app category in the play store?
That's like asking why can I buy things from facebook marketplace but can't use my American credit card on vk.com?
null
charlieyu1
€530M is enough to be a deterrent under normal circumstances.
Now we all know it is not normal but then it should be handled with a lawsuit/law enforcement. Don’t think any organisation is going to do that far alone.
null
dmix
How is $600M not massive?
ziddoap
When viewed as a percent of their annual revenue, rather than an absolute number, it's not really all that massive. It's like 3% or so.
And you can't really just look at the 3%, you have to factor in what benefits (money, political sway, whatever) they received in exchange for the data. For simplicity, if they got paid, I don't know, $150M/yr from China for the data and they've been sending data for (at least) 4 years... They would have made a profit despite the fine!
($150M is obviously pulled out of my ass, just as a demonstration of how when you look at the fines from a bigger context, it might just be a line item on the expense report that's worth taking the risk on)
dmix
> When viewed as a percent of their annual revenue,
I've always found this viewpoint a bit childish, with little regard for how businesses work IRL (even the ignoring the obvious profits vs revenue part). Reminds me of how every comment section re: some crime story is people calling for death penalty or how a mob should kill them first. Justice is never that simple.
I understand people want businesses they don't like to simply not exist anymore but that doesn't mean it's rational to throw up insane fines because you spent 2min doing back of a napkin math of revenue * (imaginary deterrent %)
> For simplicity, if they got paid, I don't know, $150M/yr from China for the data and they've been sending data for (at least) 4 years... They would have made a profit despite the fine!
The Chinese government doesn't need to pay companies to exfiltrate data from companies within their reach.
rsynnott
Arguably it's still at a level where it could be considered a cost of doing business. One school of thought is that for corporate punishment to be an effective deterrent it has to be _existential_; if you tell a company "if you do an illegal thing that makes you an extra billion dollars a year, we might eventually get around to fining you a few hundred million", then the rational company will say "sure, send us the bill whenever", and get on with doing the illegal thing.
ta1243
To someone on the median global salary of $300 a month, $1000 is a lot of money.
To someone on $500k a year, $1k is a night out in vegas.
To a billionaire, $1k is toilet paper.
_DeadFred_
Someone here floated that instead of fines it should be government ownership in the company. You dilute the original owners, so they get punished for bad behavior. As a part owner, the government is now 'inside' and has a whole lot more visibility/ability to request information. And over time, should bad behavior continue, the government gains control.
Look at a company like Tesla whose stock is super high but profits low. A percentage of profits wouldn't mater to them. But government control via stock would get their attention and the attention of stock owners real quick.
codetrotter
Є in the title of the HN submission is not the Euro symbol.
€ is.
Alifatisk
The title have been changed and they added the symbol, I can't update the title anymore. Hopefully Dang fixes it.
faraggi
Also, the € symbol is a suffix to amounts, not a prefix like $.
jtvjan
I think that convention depends on the language, not the currency.
For example, in German it's usually written postfix, but in Dutch it's usually prefix.
Cribbin
That actually varies by country. In Ireland it is used as a prefix
secondcoming
Only in some countries. The position of the currency symbol is a locale thing
Marsymars
It very much is a locale thing, not even a country thing - e.g. en-ca and fr-ca have '$' as a prefix/suffix, respectively.
trollbridge
I just trust whatever the LC_CURRENCY settings do.
switch007
Not universally
> Placement of the sign varies. Countries have generally continued the style used for their former currencies. In those countries where previous convention was to place the currency sign before the figure, the euro sign is placed in the same position (e.g., €3.50).[7] In those countries where the amount preceded the national currency sign, the euro sign is again placed in that relative position (e.g., 3,50 €).
> In English, the euro sign – like the dollar sign ⟨$⟩ and the pound sign ⟨£⟩ – is usually placed before the figure, unspaced,[8] the reverse of usage in many other European languages
> The European Union's Interinstitutional Style Guide (for EU staff) states that the euro sign should be placed in front of the amount without any space in English, but after the amount in most other languages
eenokentee
[dead]
s_dev
There’s a lot of frustration and cynicism in this thread, but I suspect some misunderstandings might be fuelling it. First off, Ireland is part of the EU, and under GDPR’s 'one-stop-shop' system, the country where a company has its EU headquarters in Ireland, in the case of many tech giants it takes the lead on enforcement for the entire EU. So when Ireland’s regulator fines a company under GDPR, they’re essentially doing it on behalf of the whole EU, it’s not just Ireland acting alone.
GDPR fines can be very significant, the rules allow penalties either as a percentage of a company’s global revenue or as a large fixed amount whichever is higher. This ensures even the biggest companies feel the impact. Plus, these fines are public and transparent. Every big fine is announced and reported, which means there’s a reputational hit alongside the financial one. That publicity is intentional: it adds pressure on companies to improve, making the fines a real deterrent rather than just a quiet cost of doing business.
It’s also worth clarifying where the fine money goes. It doesn’t just line Ireland’s pockets. In practice, the money goes into the EU budget. If Ireland collects a hefty fine, that amount is basically offset against what Ireland would normally contribute to the EU budget. If people in other EU countries were affected by the violation, those countries can request a portion of the fine as well. In short, Ireland isn’t profiting solo from these fines, it’s just the point of collection because that’s where the companies are based.
Interestingly, some comments here call the fines 'insane' (too harsh) while others say they’re 'a slap on the wrist' (too lenient). That contradiction highlights the misconceptions around GDPR fines. In reality, these penalties are meant to be serious enough to matter, but proportionate to a company’s size and the offence. They’re not intended to destroy a business, but they’re definitely not nothing either, they serve as a real consequence to encourage companies to respect people’s privacy.
tossandthrow
> ... percentage of a company’s global revenue or as a large fixed amount whichever is higher.
It should be noted that this is used to establish a maximum fine.
Then the regulator can fine at X% of the maximum fine.
It should be noted, that this is established to avoid that individual EU member states fine too little to attract business (Like Ireland has previously had issues on re. too little taxing)
NoahZuniga
> If Ireland collects a hefty fine, that amount is basically offset against what Ireland would normally contribute to the EU budget
Ireland paying x less dues is practically equivalent to them earning x money; it does just line Ireland's pockets. (Of course this is just the portion that isn't requested by other EU countries)
pjc50
It would really help to have some references on the details of the fine routing, because this comes up a lot. Dozens of posts here, and it always gets argued over when GDPR is mentioned.
fennecbutt
Lmao that's nothing to them. But we all knew that, happens all the time.
There's not countries. There's not borders. There's just wealth. Concentrated wealth.
WorldPeas
I’m sure they’re just acting within the law here, but I’m pretty sure the bigger threat isn’t the egress of data but rather the ingress of influence over the app’s algorithm, and therefore users
SilverBirch
Two things I wonder about: first are these fines actually going to happen or is the sort of thing where it gets appealed indefinitely. And second, where do the fines go? It sounds a lot like since Ireland is where Tiktok is getting fined the fines go to the Irish government which would seem crazy. The fines are assessed in the context of the full EU, but only Ireland gets the revenue? This is broken.
pjc50
UK: the regulator which issues the fine pays almost all of it (minus some expense recovery) into the consolidated fund, i.e. the same pot as taxes.
This is roughly what I'd expect. The EU does very little law enforcement directly, most is done through national regulators.
This is the reverse of the Apple situation, where the EU fined the Irish government for not collecting enough taxes from Apple.
tailspin2019
For clarity, I don’t think the UK is involved in this at all.
This seems to be a fine issued in the Republic of Ireland which is not part of the UK (but, unlike the UK, is still part of the EU).
diggan
> And second, where do the fines go?
Someone correct me if I'm wrong, but the income from the money eventually flows into the overall EU budget, so it's like we (EU residents) get a tiny rebate on our taxes. But seems to also depend on each country, Spain is somewhat unique in that the DPA seems to keep it themselves.
skeeter2020
>> so it's like we (EU residents) get a tiny rebate on our taxes.
Don't know specifically about this scenario, but I've never seen a government's general revenues account treated like this. Governments rarely pay "dividends" - unless you're a targeted voting block they decide to go after.
rsynnott
The EU, specifically, essentially runs a balanced budget, so increased revenue from stuff other than member state contributions will reduce the required member state contributions. Of course how each member state funds those and what it does with them if they get cheaper is up to that member state.
tpm
You are partly wrong, the money from fines eventually flows into the overall EU budget, which is financed by contributions from member countries, so this contribution will be a bit lower, but this will not propagate into lower taxes for us.
diggan
> this will not propagate into lower taxes for us.
Yeah, sorry if I was unclear, I didn't mean that residents would literally have a line item on their tax bill because of the fines. But since the fines go into the overall budget, it's like the budget grows (in a very small amount) without people having higher taxes.
aurareturn
If it's truly Ireland only, then Tiktok might just exit the country and not pay the fine. Perhaps this is what Ireland wants?
Ireland is a small market. It'll take forever to make 530m in profit in Ireland for Tiktok.
tossandthrow
TikTok has their EU office in Ireland, that is why the case is happening there.
The verdict is for the entire EU, they'd have to exit the EU market.
pjc50
TikTok EU is based out of Ireland, so they'd have to move the whole datacentre. https://newsroom.tiktok.com/en-gb/tiktok-european-data-centr...
Meanwhile this is a very interesting read on their corporate structure: https://committees.parliament.uk/writtenevidence/13247/defau...
"On corporate structure specifically, there is a misconception that TikTok UK is a subsidiary of ByteDance's operations in China. This is not the case. TikTok UK is owned by global parent company ByteDance Ltd, incorporated in the Cayman Islands"
.. now, everyone talks about China as a global enemy of freedom and accountability, but I think Grand Cayman is underestimated as a bad actor or protector thereof.
rsynnott
It would have to leave Europe. This is being done under the auspices of the EU GDPR.
elnatro
Hope the use that money to improve things for the people there!
tiffanyh
Slightly OT: how does the money from fines get used by the government that issued the fine?
e.g. does it go into funding data privacy related activities/work?
edent
Taxes are very rarely hypothecated. In most countries, if you pay the "bear tax" it doesn't go into a big pot solely used for the eradication of bears.
So fines like this normally go into the general pot of government spending.
In the UK, data breach fines are spent on running the enforcement organisation - with the remainder going back to the state. https://ico.org.uk/about-the-ico/who-we-are/how-we-are-funde...
splatterxl
UK is not involved in this case. It's the Irish Data Protection Commission -- https://www.dataprotection.ie/en/who-we-are
arlort
In the EU it means next year member states have to pay a little bit less into the budget
The EU budget itself doesn't really change so it's not "more money" in a practical sense
(I realised I might've skipped a step but this fine is EU wide, not Ireland specific, the fine gets paid to the EU IIRC)
ThePowerOfFuet
@dang Can you please put this in the title? €
Thank you for saving our eyes.
dang
Let's get that Є out of there!
rbanffy
Roughly €100 per Irish resident. Not bad.
null
DarkmSparks
Far better than the ban them idea tbh.
Although I suspect US regulators won't like this approach because they want to syphon EU users data up as much as China.
'massive' -- by which standards?
It is high time we got used to companies being fined a reasonable fraction of their revenue. And TikTok's global revenue last year alone was estimated at $20 billion to $26 billion [1].
[1] https://www.nytimes.com/2025/01/17/technology/tiktok-ban-byt...