TikTok faces new DPC inquiry over China data storage violations

The Data Protection Commission (DPC) has announced the opening of a formal inquiry into TikTok Technology Limited's transfers of European Economic Area users' personal data to servers located in China, marking a significant escalation in regulatory scrutiny of the social media platform's data handling practices.

The inquiry, announced on July 10, 2025, stems from TikTok's admission in April 2025 that it had discovered limited EEA user data was being stored on servers in China - a practice that directly contradicted the company's previous testimony to regulators. TikTok had initially informed the DPC of this issue after discovering it in February 2025.

Summary

Who: The Irish Data Protection Commission has opened an inquiry into TikTok Technology Limited, with Commissioners Dr. Des Hogan and Mr. Dale Sunderland making the decision.

What: A formal investigation into TikTok's transfers of EEA users' personal data to servers located in China, focusing on GDPR compliance and the accuracy of information provided to regulators.

When: The inquiry was announced on July 10, 2025, following TikTok's April 2025 disclosure of data storage issues discovered in February 2025.

Where: The investigation targets data transfers from the European Economic Area to servers located in China, with the Irish DPC serving as the lead supervisory authority.

Why: TikTok admitted that limited EEA user data was stored on Chinese servers, contradicting previous representations that data remained outside China and was only accessed remotely.

This new investigation follows the DPC's decision of April 30, 2025, which had considered TikTok's data transfers to China under a separate inquiry. During that previous investigation, TikTok maintained that transfers occurred only through remote access, asserting that EEA user data remained stored on servers outside China and were accessed remotely by staff within China.

According to the DPC announcement, the regulator expressed "deep concern" that TikTok had submitted inaccurate information during the previous inquiry. The commission stated it was taking these developments "very seriously" and considering further regulatory action in consultation with peer EU Data Protection Authorities.

The decision to commence the new inquiry under section 110 of the Data Protection Act 2018 was taken by Commissioners for Data Protection Dr. Des Hogan and Mr. Dale Sunderland. TikTok was notified of the decision earlier this week.

Technical scope of investigation

The inquiry will examine whether TikTok has complied with relevant obligations under the General Data Protection Regulation (GDPR) regarding the lawfulness of transfers pursuant to Chapter V of the regulation. Specifically, the investigation will focus on several key provisions.

The DPC will examine Article 5(2) concerning accountability principles, requiring organizations to demonstrate compliance with data protection principles. Article 13(1)(f) regarding transparency information related to third country transfers will be scrutinized, ensuring users receive adequate information about international data transfers.

Article 31, which establishes the obligation to cooperate with supervisory authorities, forms another focus area. The commission will assess whether TikTok provided accurate and complete information during regulatory interactions. Chapter V GDPR requirements for third country transfers will be comprehensively reviewed to determine compliance with established safeguards.

The regulatory framework for international data transfers requires adherence to strict conditions when personal data leaves the EEA. According to the DPC documentation, transfers can occur only if conditions laid down in Chapter V of the GDPR are met, ensuring the high level of protection provided within the European Union continues in third countries.

Legal framework for data transfers

The GDPR establishes multiple mechanisms for lawful international data transfers. Article 45(1) provides that transfers may be authorized through European Commission adequacy decisions, determining that specific third countries ensure adequate protection levels.

The European Commission has made adequacy decisions for fifteen jurisdictions: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA, and Uruguay. China has not received such an adequacy decision.

Where no adequacy decision exists, organizations must rely on other GDPR provisions such as Standard Contractual Clauses. These mechanisms place responsibility on organizations to verify, guarantee, and demonstrate that destination country laws and practices provide protection essentially equivalent to EU standards.

The DPC's concern centers on whether TikTok properly implemented these safeguards when storing EEA user data on Chinese servers. China's legal framework includes provisions granting authorities extensive access to data processed by Chinese companies, potentially conflicting with GDPR protection standards.

Industry context and implications

This enforcement action emerges within a broader landscape of regulatory pressure on social media platforms and data protection compliance. Recent analysis shows that data protection enforcement has intensified across European authorities, though with varying approaches and outcomes.

Privacy advocacy groups have filed complaints against major Chinese technology companies, targeting data transfer practices of companies including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. These complaints, submitted to authorities across multiple European countries, challenge the legal basis for international data transfers under current EU privacy law.

The marketing community faces increasing complexity in navigating data protection requirements. Professional surveys indicate that 74% of data protection experts believe authorities would find relevant violations if conducting on-site investigations at average companies handling user data.

TikTok has previously faced regulatory challenges in European markets, including a €750,000 fine from Dutch authorities for providing privacy policies only in English to Dutch users, including children.

The platform has also encountered scrutiny in other jurisdictions. The Federal Trade Commission filed a lawsuit against TikTok and ByteDance for alleged violations of the Children's Online Privacy Protection Act, highlighting global regulatory concerns about the platform's data handling practices.

Technical challenges in compliance

The complexity of modern data architectures creates challenges for multinational technology companies in ensuring compliance across different jurisdictions. TikTok's case illustrates how technical infrastructure decisions can inadvertently violate regulatory commitments.

The platform operates a distributed architecture designed to serve global users while attempting to comply with varying national data protection requirements. This technical approach requires sophisticated data governance frameworks to ensure compliance with different regulatory standards across multiple jurisdictions.

Legal analysis of TikTok's Terms of Service has revealed extensive data collection practices, highlighting the scope of information processed by the platform and the corresponding regulatory obligations.

The DPC inquiry occurs alongside TikTok's broader efforts to address privacy concerns. The platform has implemented new privacy controls and advertising transparency features, including restrictions on teen targeting and enhanced user control over data personalization.

Financial and operational implications

GDPR violations can result in significant financial penalties, with fines up to 4% of global annual revenue or €20 million, whichever is higher. Recent enforcement actions demonstrate the substantial financial risks, with LinkedIn Ireland facing a €310 million fine for data processing violations.

The inquiry's outcome could establish important precedents for how technology companies manage international data flows and engage with regulatory authorities. The DPC's emphasis on accuracy in regulatory communications suggests heightened scrutiny of company representations during enforcement proceedings.

For the advertising technology sector, this case underscores the importance of robust data governance frameworks. Oracle's recent $115 million privacy settlement and subsequent exit from the ad tech business illustrate how privacy-related legal challenges can reshape industry operations.

The enforcement action also reflects broader trends in data sovereignty requirements. European authorities are implementing stricter oversight of international data transfers, particularly involving companies operating under different legal frameworks.

Regulatory cooperation mechanisms

The DPC's decision followed the inquiry cooperation procedure with peer EU regulators under the GDPR One Stop Shop mechanism. This process ensures consistent enforcement across the European Union while enabling lead authorities to coordinate complex cross-border investigations.

The One Stop Shop mechanism designates a lead supervisory authority for companies with establishments in multiple EU member states. Ireland serves as the lead authority for many major technology companies due to their European headquarters locations within Irish jurisdiction.

This cooperative approach enables regulatory authorities to address complex data protection violations while ensuring consistent application of GDPR principles across the single market. The mechanism has processed thousands of procedures since GDPR implementation, facilitating coordinated enforcement efforts.

Recent data shows significant growth in cross-border case volumes, with authorities initiating 3,813 procedures to identify lead and concerned supervisory authorities between May 2018 and November 2023.

Industry response and outlook

The inquiry highlights ongoing challenges in balancing global technology operations with regional data protection requirements. Companies operating across multiple jurisdictions must navigate complex regulatory landscapes while maintaining efficient technical infrastructure.

Digital rights organizations have gained expanded authority for collective redress actions, potentially increasing accountability pressure on technology companies through coordinated legal challenges across European markets.

The enforcement environment continues evolving as authorities adapt to emerging technologies and business models. Recent guidance from European regulators demonstrates ongoing efforts to clarify compliance requirements across different technical implementations.

For marketing professionals utilizing social media platforms, this enforcement action emphasizes the importance of understanding platform data handling practices and potential regulatory implications. Companies must consider how their advertising and content strategies align with evolving privacy regulations and platform compliance measures.

The outcome of this inquiry may influence how other technology companies approach regulatory transparency and international data governance, particularly regarding accurate representation of technical infrastructure and data processing practices.

Timeline

• February 2025: TikTok discovers limited EEA user data stored on Chinese servers
• April 2025: TikTok informs DPC of discovered data storage issue
• April 30, 2025: DPC issues decision on previous inquiry into TikTok's China data transfers
• July 10, 2025: DPC announces new inquiry into TikTok's China data storage
• August 2021: Dutch DPA fines TikTok €750,000 for English-only privacy policies
• August 2024: FTC sues TikTok for alleged COPPA violations
• January 2025: Privacy groups file complaints against Chinese tech companies