The Irish Data Protection Commission (DPC), the principal privacy regulator for TikTok in the European Union, has initiated a new investigation into the social media giant’s handling of European users’ data. The inquiry centers on revelations that TikTok stored a portion of European user data on servers located in China—an issue that has reignited concerns over cross-border data transfers and user privacy.
This latest investigation comes on the heels of a record €530 million fine imposed on TikTok by the DPC in May 2025. That penalty was levied for violations related to the remote access of EU user data by staff in China and for insufficient transparency regarding these practices.
Discovery of Data Storage in China
During the previous four-year investigation, TikTok consistently assured regulators that, while employees in China could remotely access EU user data, the data itself was not physically stored in China. However, in April 2025, TikTok disclosed to the DPC that it had uncovered a limited amount of European user data that had, in fact, been stored on Chinese servers. The company stated that this data has since been deleted.
The DPC expressed “deep concern” over TikTok’s submission of inaccurate information during the initial investigation. This discrepancy prompted the regulator to launch a new inquiry to determine whether TikTok has fulfilled its obligations under the General Data Protection Regulation (GDPR), particularly regarding third-country data transfers.
Scope of the Investigation
The DPC’s new investigation will focus on several key issues:
- Whether TikTok’s storage of European users’ data in China was lawful under GDPR.
- The adequacy of TikTok’s transparency and accountability in informing both users and regulators about the location and handling of their data.
- TikTok’s cooperation with regulatory authorities and compliance with requirements governing data transfers to countries outside the EU.
Context of the Previous Fine
The €530 million fine issued in May was the result of TikTok’s failure to adequately protect EU user data accessed from China and for not providing sufficient transparency about these transfers. The DPC found that TikTok did not ensure EU user data accessed from China was protected to the standards required by EU law, and failed to conduct proper transfer impact assessments. The company was ordered to bring its data processing activities into compliance within six months or risk a suspension of data transfers to China.
Broader Implications
TikTok’s data handling practices remain under intense scrutiny from regulators across Europe and the United States, with particular concerns about the potential for Chinese authorities to access user data under China’s national security laws. Under the GDPR, personal data can only be transferred outside the EU if the destination country offers adequate protection or if the company can guarantee equivalent safeguards. China is not recognized by the EU as providing “adequate” data protection, making such transfers highly sensitive.
