TikTok is once again under the microscope in Europe, facing a fresh investigation concerning the privacy of user data and its transfer to China. The inquiry, launched by the Irish Data Protection Commission (DPC), follows a previous investigation that concluded with a hefty fine for the video-sharing app. This renewed scrutiny highlights the ongoing concerns surrounding the handling of personal information by the Chinese-owned platform and its compliance with the European Union's (EU) stringent data protection regulations.

The DPC's investigation is a direct response to revelations that TikTok had, contrary to its earlier claims, stored data belonging to users within the European Economic Area (EEA) on servers located in China. This revelation emerged in April 2025, prompting the DPC to express "deep concern" over the "inaccurate information" TikTok had provided during the initial inquiry. The current probe aims to determine whether TikTok has adhered to its obligations under the General Data Protection Regulation (GDPR), particularly concerning the lawfulness of data transfers to third countries.

The GDPR sets a high standard for data protection within the EEA, granting individuals significant rights over their personal information. It also restricts the transfer of personal data outside the EEA unless specific conditions are met to ensure an equivalent level of protection. Only fifteen countries or territories are recognized as having equivalent data privacy standards as the EU; China is not among them. This makes the legality of TikTok's data transfers to China a central issue in the investigation.

TikTok, owned by the Chinese company ByteDance, has been under increasing pressure in Europe and the United States regarding its data handling practices. Western officials have voiced concerns that the platform could pose a security risk, potentially allowing the Chinese government access to user data for espionage or propaganda purposes. TikTok has consistently denied these allegations, asserting that it has never received requests for European user data from Chinese authorities and has never provided such data.

In an effort to address these concerns, TikTok initiated "Project Clover," a data localization project involving the construction of three data centers in Europe. The company claims that this project implements stringent data protection measures, including independent oversight by a European cybersecurity firm. TikTok has emphasized that it proactively discovered and deleted the "minimal amount" of EEA user data that was briefly stored on Chinese servers, underscoring its commitment to transparency and data security.

Despite these efforts, the DPC has decided to proceed with a new inquiry, highlighting the seriousness with which European regulators are treating the matter. The outcome of this investigation could have significant implications for TikTok's operations in Europe, potentially leading to further fines or restrictions on data transfers. It also underscores the broader challenges faced by multinational tech companies in navigating the complex and evolving landscape of global data privacy regulations.

This latest investigation comes on the heels of a 530 million euro fine imposed on TikTok by the DPC earlier in 2025, for violations of GDPR related to data transfers to China. The DPC found that TikTok put users at risk of spying by allowing remote access to their data from China. The Irish watchdog also sanctioned TikTok for not being transparent with users about where their personal data was being sent and ordered the company to comply with the rules within six months. TikTok is appealing the fine.

The DPC is tasked with ensuring companies comply with the EU's strict General Data Protection Regulation.