TikTok transfer order faces fresh review

TikTok transfer order faces fresh review

TikTok’s data-transfer fight is returning to Ireland’s privacy regulator again. The DPC is reviewing whether to pursue fresh sanctions after court scrutiny of its EU-China transfer suspension order.


Ireland’s Data Protection Commission is reassessing whether to pursue fresh sanctions against TikTok after a court told the regulator to reconsider an order requiring the platform to suspend data transfers from the European Union to China.

The case keeps one of Europe’s most consequential cross-border data enforcement actions open, more than a year after the Irish regulator fined TikTok €530 million and ordered corrective measures over transfers of European Economic Area user data to China.

The Irish High Court upheld the DPC’s finding that TikTok breached EU privacy rules, but told the regulator to reconsider the corrective measures imposed alongside the fine. Des Hogan, chair of the DPC, said the regulator was reviewing the judgment and would decide in the coming period whether to impose sanctions again. If it does, the process would begin afresh and TikTok would have the right to appeal any new decision.

The DPC’s original decision, adopted in April 2025, found that TikTok infringed GDPR requirements relating to international data transfers and transparency. The regulator said the transfers involved EEA user data being accessed remotely by personnel in China, and that TikTok had failed to verify, guarantee, and demonstrate that the data received a level of protection essentially equivalent to that guaranteed within the EU.

The decision included two administrative fines totalling €530 million: €485 million for infringement of Article 46(1) GDPR and €45 million for infringement of Article 13(1)(f) GDPR. It also ordered TikTok Ireland to suspend the data transfers and bring processing into compliance.

The DPC said in its 2025 decision: “The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.”

TikTok has said it has never received a request for European user data from Chinese authorities and has never provided European user data to them. The company has also pointed to Project Clover, a programme intended to strengthen European data governance, local storage, and independent oversight.

The court’s intervention leaves the underlying enforcement risk in place. The regulator’s core finding on GDPR infringement remains significant, while the transfer-suspension issue now returns to the DPC for further assessment. That keeps uncertainty around one of the most commercially sensitive questions in digital regulation: how companies can lawfully move, access, or process European data when operations, staff, vendors, or group entities sit outside the EU.

Although TikTok is the named platform, the dispute reaches the architecture of multinational technology operations. Global systems often rely on distributed engineering, security, moderation, analytics, and support functions. EU data protection rules require companies to show that international transfers preserve a level of protection essentially equivalent to that available inside the European Economic Area, even where the underlying business model depends on cross-border access.

The GDPR allows personal data to move outside the EEA only where the transfer mechanism preserves EU-level safeguards. Where the destination country does not have an adequacy decision, companies typically rely on mechanisms such as standard contractual clauses and supplementary measures. Those measures must be assessed against the legal and practical risks in the recipient country.

The DPC’s original findings focused heavily on whether TikTok had adequately assessed the effect of Chinese law and potential access by Chinese authorities. The regulator said TikTok’s own assessment identified Chinese laws that materially diverged from EU standards, including anti-terrorism, counter-espionage, cybersecurity, and national intelligence laws. It also found that TikTok’s earlier transparency information did not sufficiently identify the countries involved or explain the remote-access processing at issue.

The enforcement landscape has become more demanding since the Court of Justice of the European Union’s Schrems II judgment placed greater emphasis on transfer risk assessments and supplementary measures. Technology companies must document the contractual mechanism used for transfers and demonstrate why that mechanism is effective in practice. Regulators are increasingly focused on evidence: who can access data, from where, under which controls, and with what monitoring.

Operational planning now has to account for that evidence burden. Data localisation may reduce some risk, but it does not automatically answer questions about remote access, group support functions, engineering teams, security operations, or vendor maintenance. A company can store data in Europe while still facing transfer questions if personnel elsewhere can access that data in a way that falls within GDPR transfer rules.

Concerns over data flows sit within a broader European scrutiny of platform governance, digital sovereignty, algorithmic systems, child protection, content moderation, AI deployment, and accountability. Data access cuts across those areas because it determines which legal systems, security controls, and organisational structures touch user information. The same trust questions have been building around AI-enabled commerce, where AI shopping agents face a trust barrier over payments, control, and data security.

A transfer suspension order affecting EU-China data would be operationally disruptive for a platform with global engineering, moderation, security, and support functions. Even where a court pauses or narrows a regulatory measure, the dispute can influence investment, governance design, customer confidence, and the way other multinationals structure their own systems.

The DPC’s 2025 annual report also shows the scale of the regulatory workload. The regulator received 16,160 new cases from individuals in 2025, a 45% increase on the previous year, and concluded 208 valid cross-border complaints in its role as EU and EEA lead supervisory authority. It also finalised four large-scale inquiries and imposed administrative fines totalling just over €530.77 million, with the TikTok decision accounting for the overwhelming majority.

That rising caseload reflects a more complex privacy enforcement environment. Complaints, breach notifications, cross-border investigations, AI-related documentation, and large-platform inquiries are growing in volume and complexity. Companies operating in Europe face data protection decisions that can carry governance, geopolitical, operational, and commercial consequences at the same time.

The DPC will now have to decide how to respond to the High Court’s concerns about the corrective measures attached to the original decision. A renewed sanction route would reopen the procedural timetable and give TikTok another appeal pathway. A revised order could still carry major consequences if it imposes clearer restrictions on how EU user data is accessed from China.

The case remains a benchmark for European digital regulation. Large fines attract attention, but corrective orders can be more disruptive where they force changes to data architecture, access controls, and international operating models. That question now returns to Ireland’s privacy watchdog, with multinational technology groups watching how far EU data protection enforcement can reach into global operating structures.



  • FCA sets tougher crypto rulebook

    FCA sets tougher crypto rulebook

    Crypto companies face tougher UK rules before full authorisation begins. The FCA’s new framework brings crypto platforms, intermediaries, custodians, stablecoin issuers, and staking arrangers closer to mainstream financial-services standards.


  • UKEF launches £50bn defence fund

    UKEF launches £50bn defence fund

    UK defence exporters gain expanded finance capacity for overseas contracts. UKEF’s new £50bn Defence Export Fund increases its total capacity to £130bn and gives British suppliers a larger state-backed financing offer for major international orders.


  • Securonix names Toby Weiss as CEO

    Securonix names Toby Weiss as CEO

    Securonix appoints Toby Weiss to lead its AI security push. The former Fiery chief executive will oversee the company’s next phase as SOCs move from alert management towards AI-powered execution.