TikTok Under New Investigation by Irish Watchdog Over EU User Data Stored in China
Irish Watchdog Launches New Probe Into TikTok’s Data Transfers to China
TikTok is once again under intense regulatory scrutiny in Europe as Ireland’s Data Protection Commission (DPC) has launched a fresh investigation into the platform’s transfer of EU users’ personal data to China. The inquiry, announced on Thursday, comes on the heels of a record-breaking €530 million fine issued to the social media giant in April for previous violations related to data protection and international data transfers.
The new probe raises serious questions about TikTok’s data handling practices and its compliance with the European Union’s stringent privacy rules under the General Data Protection Regulation (GDPR). It also intensifies concerns about Chinese access to European user data at a time of growing geopolitical tension and digital sovereignty concerns.
Register for Tekedia Mini-MBA edition 18 (Sep 15 – Dec 6, 2025) today for early bird discounts. Do annual for access to Blucera.com.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
What Triggered the Investigation?
At the core of the DPC’s new inquiry is conflicting information TikTok provided during the earlier investigation. Initially, the company claimed that no EU users’ data was stored on servers in China, and that any access to personal data by employees in China occurred through remote access only, which would be considered less invasive and easier to regulate.
However, TikTok revised its statement in February 2025, admitting that “limited” EU personal data had, in fact, been stored on servers in China—a revelation that contradicted its earlier assurances. This admission prompted the DPC, which serves as the lead data protection regulator for TikTok in the EU, to open a new inquiry into potential non-compliance with GDPR’s rules on third-country data transfers.
Why This Matters Under GDPR
Under GDPR, the transfer of personal data outside the European Economic Area (EEA) is tightly regulated. Such transfers are only permitted if the receiving country has been granted an “adequacy decision” by the European Commission, ensuring its data protection standards are in line with those of the EU.
While countries like the United States, Switzerland, and Argentina are included on the adequacy list, China is not. This means that any transfer of personal data to China must involve additional safeguards, such as standard contractual clauses or explicit user consent, and must be clearly disclosed.
If TikTok stored even a small amount of EU personal data in China without meeting these conditions, it could represent a serious breach of EU data protection law—and a potential justification for further penalties.
TikTok’s Response
A TikTok spokesperson acknowledged the issue but emphasised that the company proactively discovered the storage of limited EU data in China and took swift action.
“We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security,” the spokesperson said.
The company maintains that the breach was unintentional and that its reporting of the incident demonstrates a genuine effort to comply with regulatory standards.
However, critics argue that TikTok’s track record suggests a troubling pattern of miscommunication or obfuscation about its data practices—particularly in relation to China, where its parent company, ByteDance, is headquartered.
Ongoing Concerns Over TikTok’s Data Practices
This latest inquiry adds to a growing list of privacy concerns surrounding TikTok’s global operations. In recent years, governments and regulators around the world have questioned the platform’s links to the Chinese government, and alleged access by Chinese employees to user data in other countries.
The United States, for instance, has introduced legislation aimed at forcing ByteDance to divest TikTok’s U.S. operations or face a potential ban. Similar concerns have surfaced in Canada, Australia, India, and several European nations, including France and the Netherlands.
In the EU, the Irish DPC’s role is particularly important. Because TikTok’s European headquarters is in Dublin, the Irish authority serves as the lead regulator under the GDPR’s “one-stop-shop” mechanism. This makes the DPC’s decisions influential not just in Ireland but across the entire EU bloc.
What’s Next for TikTok?
The new investigation will focus on determining whether TikTok’s actions breached GDPR rules on third-country transfers and data transparency. The DPC is also consulting with other national data protection authorities across Europe to assess what enforcement measures might be necessary.
If the platform is found to have misled regulators or failed to implement appropriate safeguards, it could face another substantial fine and stricter operational restrictions within the EU.
This comes at a time when data localisation—the practice of keeping data within national or regional borders—is becoming a core issue in digital regulation. For TikTok, maintaining access to European markets will require not only technical compliance but also genuine trust and transparency.
Looking Forward
As the Irish Data Protection Commission deepens its investigation, the outcome could have far-reaching implications not only for TikTok but for the broader tech industry’s handling of cross-border data transfers. Regulators across the EU will be watching closely, as will governments around the world grappling with how to balance innovation, user privacy, and national security. For TikTok, transparency and full compliance will be critical moving forward—especially as public trust and regulatory scrutiny tighten in tandem. The case also signals a clear message: in today’s global digital economy, data protection is not optional—it’s foundational.
Conclusion
TikTok’s admission that EU user data was stored in China—even if limited—has reignited fears about foreign surveillance and data misuse. The Irish DPC’s new probe signals that European regulators are no longer willing to accept vague or evolving answers when it comes to the privacy of their citizens. As the inquiry unfolds, the case will serve as a critical test of how global tech platforms can be held accountable for cross-border data flows in an increasingly divided digital world.
Meta Description:
The Irish Data Protection Commission has launched a new probe into TikTok over the storage of EU user data in China, raising fresh concerns about GDPR violations and digital privacy.
Uploaded files: