Ireland’s Data Protection Commission (DPC) has opened a formal investigation against TikTok Technology Limited in a major step forward in regulatory scrutiny regarding the transfer and real storage of personal data belonging to users in the European Economic Area (EEA) on servers situated in China.
This action follows revelations that contradict TikTok’s previous assurances about its handling of EU data, raising serious concerns about data protection, trust, and transparency.
Discrepancy in TikTok’s Previous Statements
The DPC’s latest intervention is rooted in its earlier decision dated April 30, 2025, which investigated the social media giant’s data transfer practices.
During that prior inquiry, TikTok maintained that EEA users’ personal data was never stored in China but only accessed remotely by staff located there, with the actual data residing on servers outside Chinese territory.
This assertion formed the basis for the earlier inquiry’s relatively narrowed focus and scope.
However, in April 2025, TikTok formally notified the DPC that it had uncovered an incident dating back to February 2025, whereby a limited set of EEA user data had in fact been stored on servers within China a clear contradiction of their earlier sworn representations to the regulator.
The DPC and its EU regulatory partners, via the General Data Protection Regulation (GDPR) One Stop Shop mechanism, have expressed deep concern over TikTok’s submission of inaccurate information during the previous investigation.
The DPC’s subsequent press release strongly emphasized the seriousness of these developments and signaled further regulatory action was under consideration in close consultation with peer EU data protection authorities.
Focus on GDPR Compliance
The latest inquiry, commenced under Section 110 of Ireland’s Data Protection Act 2018 and led by Commissioners Dr. Des Hogan and Mr. Dale Sunderland, will examine whether TikTok’s practices complied with GDPR obligations particularly those arising from the highly sensitive process of transferring and storing personal data outside the EEA.
Central to the inquiry will be analyses under Article 5(2) relating to organizational accountability, Article 13(1)(f) concerning transparency about international transfers, Article 31 regarding obligations to cooperate with supervisory authorities, and compliance with the strict requirements of Chapter V of the GDPR which governs third-country personal data transfers.
Under GDPR, data exported from the EEA must be accorded a level of protection essentially equivalent to that within the EU.
Transfers to third countries may only take place if strict legal mechanisms, such as an Adequacy Decision by the European Commission or Standard Contractual Clauses, are in place.
China, notably, does not benefit from an Adequacy Decision, meaning organizations like TikTok must implement additional safeguards and demonstrate full compliance with EU standards.
Any failure to do so undermines the ability of individuals to exercise data rights and can compromise the high level of protection the GDPR is designed to uphold.
This new inquiry underscores the heightened regulatory vigilance facing global tech platforms operating in Europe, especially regarding the transparency and lawfulness of cross-border data flows.
The outcome of the DPC’s investigation could have wide-reaching implications not just for TikTok, but for all technology companies engaged in similar transfers in jurisdictions lacking an official recognition of data protection adequacy.
The DPC’s willingness to take assertive enforcement action signals a broader European resolve to ensure that companies handling EU citizens’ data do so with the highest standards of integrity and regulatory adherence.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
 has opened a formal investigation against TikTok Technology Limited in a major step forward in regulatory scrutiny.){kind=link}