The Irish Data Protection Commission (DPC) has opened a fresh inquiry into TikTok following the company’s disclosure that personal data of European users had been temporarily stored on servers in China.
The development adds to mounting regulatory pressure on the platform, which is already appealing a €530 million fine imposed in May over separate data protection breaches.
TikTok, owned by Beijing-based technology firm ByteDance, informed the Irish watchdog in April that a limited volume of user data from the European Economic Area had been stored in China. This admission contradicted previous assurances given during a four-year investigation, during which the company repeatedly stated it did not store European data on Chinese servers.
The new probe, announced by the DPC on Thursday, will examine whether TikTok’s handling of these data transfers complied with the General Data Protection Regulation (GDPR), the EU’s comprehensive legal framework governing personal data. Specifically, the investigation will assess the lawfulness of the transfers and whether adequate safeguards were in place.
In a statement, the regulator said:
“As a result of the information received, the DPC has now decided to initiate a new inquiry into TikTok. The purpose is to determine whether TikTok has complied with its obligations under the GDPR with regard to the transfers in question.”
The case is being handled by the Irish authority because TikTok’s European headquarters are located in Dublin, making the DPC its lead supervisory authority under the EU’s one-stop-shop mechanism for cross-border data issues.
TikTok has stated that the data in question were discovered by the company itself and were subsequently deleted from Chinese servers. A spokesperson said the firm “promptly deleted this minimal amount of data from the servers and informed the DPC.” They added that the company’s proactive disclosure reflects its commitment to “transparency and data security.”
However, the storage of European data in a jurisdiction not recognised by the European Commission as offering adequate data protection raises significant legal concerns. GDPR prohibits the transfer of personal data to third countries unless certain conditions are met, including the implementation of appropriate safeguards or the existence of a legal adequacy decision.
The earlier DPC decision, delivered on 2 May, centred on broader concerns about TikTok’s data protection practices, including the handling of child users’ information and cross-border data transfers. That ruling resulted in a record €530 million fine—the largest ever issued by the Irish watchdog—and required TikTok to bring its data operations into compliance. TikTok is currently appealing the decision, arguing that it sets a precedent that could affect any globally operating firm with European users.
The DPC stated in May that TikTok had maintained throughout the prior investigation that no data was stored in China. The revelation in April that some data had, in fact, been stored there—even if temporarily—prompted the regulator to reassess the case. The current inquiry is confined to this specific aspect and is not a continuation of the previous proceedings.
TikTok has over 1.5 billion users worldwide and a growing presence across the EU. It has launched several initiatives intended to bolster regulatory confidence, including “Project Clover,” which aims to localise data storage within the European Union. Data centres in Ireland and Norway are under development as part of that plan.
Nonetheless, concerns persist among lawmakers and regulators about the platform’s connections to Chinese authorities. Under China’s National Intelligence Law, companies are obliged to cooperate with state intelligence services if requested, leading to fears that user data could be accessed by the Chinese government.
The European Data Protection Board and national regulators have been increasingly focused on the geopolitical implications of data transfers. The 2020 Schrems II ruling by the Court of Justice of the European Union significantly tightened the legal framework for such transfers, invalidating the EU–US Privacy Shield agreement and placing additional obligations on companies to assess data protection risks in third countries.
Read also:
TikTok’s Political Power: AI’s Take on a Social Media Wildcard
