Irish Data Protection Commission opens new inquiry into TikTok’s data transfers to China
The focus of the investigation is to assess whether TikTok has fulfilled its obligations under the General Data Protection Regulation (GDPR), particularly with regard to the legality of the data transfers under Chapter V of the regulation.
Ireland’s Data Protection Commission (DPC) launched a formal inquiry into TikTok Technology Limited concerning the storage and transfer of personal data belonging to users in the European Economic Area (EEA) on servers located in China. The inquiry follows earlier regulatory proceedings, during which TikTok had claimed that such data was only accessed remotely by staff in China and not physically stored there.
The previous investigation, which concluded on 30 April 2025, was conducted under the GDPR’s One Stop Shop mechanism in coordination with other EU data protection authorities. At the time, TikTok had assured the DPC that EEA user data remained on servers outside of China and was accessed remotely. However, TikTok later disclosed that in February 2025, it had discovered a limited volume of EEA user data had, in fact, been stored on servers located within China, contrary to its earlier representations.
The watchdog expressed concern over the accuracy of the information provided during the earlier inquiry and indicated it was considering further regulatory action. The decision to open a new investigation was made by Commissioners Dr Des Hogan and Mr Dale Sunderland under section 110 of the Data Protection Act 2018. TikTok has since been formally notified of the inquiry.
The focus of the investigation is to assess whether TikTok has fulfilled its obligations under the General Data Protection Regulation (GDPR), particularly with regard to the legality of the data transfers under Chapter V of the regulation. The DPC will examine several specific GDPR provisions, including Article 5(2) on accountability, Article 13(1)(f) on transparency regarding international data transfers, Article 31 on cooperation with supervisory authorities, and the overall compliance with third-country transfer requirements outlined in Chapter V.
Under the GDPR, personal data transfers outside the EEA are subject to strict conditions to ensure that the rights of individuals are not undermined. Transfers can only take place if the third country in question offers an adequate level of data protection, as determined by the European Commission, or if other safeguards such as Standard Contractual Clauses are in place.
China is not currently covered by an adequacy decision from the European Commission. Therefore, companies transferring data to China must implement other legally recognised safeguards and be able to demonstrate that the level of protection is essentially equivalent to that provided within the EU. The DPC’s new inquiry will assess whether TikTok has met these standards.
