TikTok is once again facing intense scrutiny in the European Union over its data privacy practices, specifically regarding the potential transfer of European user data to China. A new investigation has been launched by the Irish Data Protection Commission (DPC), the lead privacy regulator for TikTok in the EU, following concerns about the storage of European users' data on servers in China.

This inquiry follows a previous investigation that concluded earlier this year with a €530 million ($600 million) fine imposed on TikTok for putting users at risk of spying by allowing remote access to their data from China. The DPC found that TikTok's data transfers to China breached the EU's strict data privacy rules, known as the General Data Protection Regulation (GDPR). The regulator also sanctioned TikTok for not being transparent with users about where their personal data was being sent.

The current investigation was triggered by TikTok's disclosure in April 2025 that a limited amount of European user data had been stored on servers in China. This admission contradicted TikTok's previous statements to the DPC, during a four-year investigation, that EU user data was only accessed remotely by staff in China and not stored in the country. The DPC has expressed "deep concern" that TikTok submitted "inaccurate information to the inquiry".

The purpose of the new inquiry is to determine whether TikTok has complied with its obligations under the GDPR in the context of the data transfers, including the lawfulness of the transfers. The investigation will focus on whether TikTok has adhered to GDPR articles related to accountability, transparency, cooperation with supervisory authorities, and compliance with rules around data transfers outside of the EU. Under GDPR rules, European user data can only be transferred outside the bloc if there are safeguards in place to ensure the same level of protection.

TikTok has stated that the data in question was discovered proactively through the comprehensive monitoring implemented under "Project Clover," the company's data localization project involving the construction of three data centers in Europe. The company claims that it promptly deleted the data from the servers and informed the DPC, underscoring its commitment to transparency and data security. TikTok maintains that it has never received a request for European user data from Chinese authorities and has never provided such data to them.

Despite these assurances, Western officials remain concerned about the potential security risks associated with TikTok's handling of user data, given its parent company ByteDance is based in China. These concerns are amplified by Chinese laws on anti-terrorism, counter-espionage, cybersecurity, and national intelligence, which have been identified as "materially diverging" from EU standards.

The outcome of this investigation could have significant implications for TikTok and other international businesses operating in Europe. Companies found in violation of GDPR can face fines of up to 4% of their global annual turnover. The EU is demonstrating its resolve to impose sovereignty and accountability on digital platforms operating within its borders. This scrutiny extends beyond data privacy to encompass concerns about algorithmic manipulation, advertising transparency, electoral interference, and systemic platform risks.