On behalf of the EU, Irish Data Protection Commission (DPC) has launched an investigation into TikTok over the storage of some European users’ personal data on Chinese servers.
The powerful video-sharing platform, with 1.5 billion users, is owned by ByteDance, a Chinese company. It has been under scrutiny by Western governments for years due to concerns over ties to Beijing and the potential use of user data for espionage or propaganda.
In early May, the DPC fined TikTok €530 million for failing to adequately protect the personal data of Europeans, which was accessible remotely from China, although stored elsewhere.
During this inquiry, the social media giant informed the DPC that some European data had been not just accessible but actually stored in China (and subsequently deleted).
TikTok attributed this to a "technical issue" identified through its "proactive" monitoring.
The DPC expressed "deep concern that TikTok provided inaccurate information during this investigation," as noted in their statement on Thursday.
The new investigation aims to determine whether the social network complied with its obligations under the GDPR (General Data Protection Regulation) in light of the data transfers in question, explained the Irish authority.
The €530 million fine issued in May was the second-largest ever by the DPC, which acts for the EU since TikTok’s European headquarters, like most tech giants, are based in Ireland.
TikTok failed to offer guarantees against "possible access by Chinese authorities" due to their anti-terrorism and anti-espionage laws.
The platform, planning to appeal, insisted it had "never received a request" from Chinese authorities and had "never provided them with European user data."
European data can only be transferred – meaning stored or made accessible – in a third country if deemed sufficiently safe by the EU, examples being Japan, the United Kingdom, or the United States.
Without such approval, it’s up to the company to prove an equivalent level of protection, something TikTok has failed to achieve.
According to the company, European data is typically stored in Norway, Ireland, and the United States.
The Irish regulator had already fined TikTok €345 million in 2023 for violating European rules in handling minors’ data.
The largest fine from the DPC was against Meta in 2023: €1.2 billion for data transfers to the U.S. amidst fears of surveillance by American authorities.
TikTok is also under scrutiny in the U.S., where Congress passed a law in 2024 requiring ByteDance to cede its control within the country or face a ban.
"We have a buyer" for TikTok’s U.S. operations, US President Donald Trump stated at the end of June in an interview with Fox News, without further details.
Agence France-Presse (AFP), among over a dozen fact-checking organisations, is paid by TikTok in several countries to verify videos that may contain false information.
