TikTok just took another major hit in Europe’s ongoing battle to keep user data safe. Regulators have fined the company a staggering €530 million ($600 million) following a four-year investigation into how the platform handles user information—especially when it comes to data access from China.

The Irish Data Protection Commission, which leads enforcement for TikTok in the EU, found that European user data was remotely accessed by staff in China without proper safeguards in place. That’s a direct violation of GDPR, which requires companies to ensure that any data sent outside the EU has the same level of protection it would inside the bloc.

What’s especially concerning is that TikTok wasn’t transparent about these transfers, failing to disclose China as one of the locations where data was being accessed. It also didn’t clearly explain this in its privacy policy until recently. The watchdog says the app’s design put users at risk of foreign surveillance under China’s expansive national security laws.

TikTok has pushed back, saying the ruling focuses on a “select period” that ended in May 2023. They argue that since then, they’ve launched Project Clover, a data localization effort involving three new data centers in Europe and independent oversight by cybersecurity firm NCC Group. The company insists it has never handed over European user data to Chinese authorities, nor received any such request.

Still, the fine wasn’t just about policy wording or paperwork. Investigators say TikTok misled regulators about where user data was stored, only admitting earlier this year that some European data had been kept on Chinese servers—something it had previously denied.

TikTok now has six months to comply with EU rules or risk further enforcement. The Irish watchdog is also considering whether to take additional action, given what it calls inaccurate disclosures during the investigation.

For IT and cybersecurity teams, this case underscores just how high the bar has become for international data handling—and how regulatory scrutiny is tightening fast, especially when geopolitical tensions are in play.