TikTok Under Fire Again as Irish Regulator Probes China Data Storage

Key Takeaways

• New DPC Inquiry Launched: Ireland’s Data Protection Commission has opened a new investigation into TikTok over the storage of EEA user data on servers in China.
• Contradictory Evidence: TikTok previously told regulators that EEA user data was only accessed remotely from China—not stored there—but later admitted limited data had been stored on Chinese servers.
• GDPR Compliance in Question: The inquiry will examine TikTok’s compliance with GDPR provisions related to accountability, transparency, regulatory cooperation, and cross-border data transfer rules.
• No Adequacy Decision for China: Since China lacks an EU “adequacy” designation, TikTok would have needed to implement strict safeguards for any data transferred there.
• Regulatory Pressure Mounts: The investigation follows a prior DPC decision and adds to growing EU scrutiny over TikTok’s data practices and ties to China.

Deep Dive

TikTok is once again in the crosshairs of Ireland’s privacy watchdog after it admitted to storing some European user data on servers in China, contradicting what it had previously told regulators.

The Irish Data Protection Commission (DPC) announced Wednesday that it has opened a new inquiry into TikTok Technology Limited following fresh revelations that limited personal data belonging to users in the European Economic Area (EEA) was, in fact, stored on Chinese servers. That’s a significant twist because, during an earlier investigation that concluded in April, TikTok had assured the DPC that no such storage had occurred.

Back then, TikTok maintained that any access to EEA user data from China happened remotely and that the data itself never physically left servers located in Europe or elsewhere outside China. The DPC took those claims at face value and scoped its inquiry accordingly. But two months later, the company came forward with a different story: that it had discovered in February that some EEA user data had ended up on servers in China after all.

That revelation didn’t go unnoticed.

In its April decision, made in coordination with other EU data protection authorities under the GDPR’s One Stop Shop mechanism, the DPC had already flagged concern about TikTok’s earlier assurances. At the time, it warned it was “taking these developments very seriously” and considering next steps. Now, those steps are in motion.

The DPC’s latest move comes under Section 110 of the Irish Data Protection Act 2018, and the new inquiry is designed to get to the bottom of whether TikTok violated its legal obligations under the General Data Protection Regulation (GDPR). That includes whether the company was transparent about its data transfers, whether it upheld accountability standards, whether it cooperated fully with the regulator, and crucially, whether it lawfully transferred and stored personal data in China.

While TikTok has said only a limited amount of EEA data was affected, that doesn’t lessen the regulatory stakes. Under the GDPR, data transfers to countries outside the EU or EEA (particularly those without an official EU “adequacy” decision) face strict requirements. China is not on the EU’s list of approved jurisdictions, which means TikTok would have needed to implement robust safeguards like Standard Contractual Clauses and demonstrate that Chinese law doesn’t undermine EU data protection guarantees.

That’s a high bar to clear.

The inquiry, which was formally approved by Commissioners Dr. Des Hogan and Dale Sunderland, puts renewed pressure on TikTok as it tries to navigate a wave of regulatory scrutiny across Europe. With data localization, transparency, and trust already sensitive topics for the company, this latest development underscores how fragile the ground can be when dealing with cross-border data flows, especially when it involves China.

TikTok has yet to issue a public response to the inquiry. But with the DPC now digging deeper, and with its EU peers closely watching, the company may find that what happens next is no longer in its hands.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.