The European Union privacy watchdog fined TikTok 530 million euros ($600 million) on Friday followed by a four-year investigation. The investigation found that TikTok’s transfers of user data to China violated strict EU privacy rules and exposed users to spying risks.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent. It gave TikTok six months to comply with the EU privacy rules.

Ireland’s watchdog is the leading data privacy regulator in the 27-nation EU because TikTok has its European headquarters in Dublin.

Deputy Commissioner Graham Doyle said, “TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”

TikTok disagreed with the decision and said it plans to appeal.

In a blog post, the company said the decision focused on a “select period” ending in May 2023. It added that since then, it had started a data localisation project called Project Clover, which includes building three data centres in Europe.

Christine Grahn, TikTok’s European head of public policy and government relations, said, “The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm.” She added, “The decision fails to fully consider these considerable data security measures.”

TikTok’s parent company, ByteDance, is based in China and has come under scrutiny in Europe over how it handles personal user data. Western officials have raised concerns that TikTok poses a security risk by sending user data to China. In 2023, the Irish watchdog also fined TikTok hundreds of millions of euros in a separate investigation into child privacy violations.

The Irish watchdog said its investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data. It cited Chinese laws on anti-terrorism, counterespionage, cybersecurity and national intelligence, which “materially diverge” from EU standards.

Grahn responded, “TikTok has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

Under the EU’s General Data Protection Regulation (GDPR), European user data can only be transferred outside the bloc if safeguards are in place to ensure an equivalent level of protection.

Grahn said TikTok strongly disagreed with the Irish regulator’s claim that it did not conduct “necessary assessments” for data transfers. She said the company sought advice from law firms and experts. She argued that TikTok was being “singled out” even though it uses “the same legal mechanisms” as thousands of other companies in Europe. She also said its approach was “in line” with EU rules.

The investigation, which started in September 2021, also found that TikTok’s privacy policy at the time did not identify third countries like China, where user data was being transferred. The watchdog said the policy, which has since been updated, did not make it clear that TikTok’s data processing involved “remote access to personal data stored in Singapore and the United States by personnel based in China.”

The regulator also said TikTok gave inaccurate information during the inquiry. TikTok had stated that it did not store European user data on Chinese servers. But in April, the company informed the regulator that it had discovered in February that some data had, in fact, been stored on servers in China.

Doyle said the watchdog is taking this development “very seriously” and is “considering what further regulatory action may be warranted.”