DPC Investigates TikTok Over Transfer of EU User Data to China

The Data Protection Commission (DPC) has launched a formal inquiry into TikTok Technology Limited, scrutinizing the company’s practices regarding the transfer and storage of European Economic Area (EEA) users’ personal data to servers in China.

This development stems from discrepancies uncovered in a prior investigation concluded on April 30, 2025, where TikTok asserted that EEA user data were exclusively accessed remotely from China without any physical storage on local servers.

Background on the Inquiry

However, TikTok later disclosed in April 2025 that it had identified an issue in February of the same year, revealing that limited EEA user data had indeed been stored on Chinese servers, contradicting its earlier submissions.

This revelation prompted the DPC to express profound concern over the submission of inaccurate information, highlighting potential breaches of accountability and transparency under the General Data Protection Regulation (GDPR).

In a press release accompanying the previous decision, the DPC emphasized its serious approach to these developments and indicated consultations with peer EU supervisory authorities to determine further regulatory actions.

The new inquiry, initiated under section 110 of the Data Protection Act 2018 by Commissioners Dr. Des Hogan and Mr. Dale Sunderland, was notified to TikTok earlier this week.

It operates within the GDPR’s One-Stop-Shop mechanism, ensuring coordinated oversight across EU regulators, and aims to assess TikTok’s compliance with key GDPR provisions in the context of these international data transfers.

Scope of the Investigation

At the heart of the inquiry is an examination of whether TikTok has adhered to its obligations under Chapter V of the GDPR, which governs transfers of personal data to third countries outside the EEA.

Such transfers are permissible only if they maintain an essentially equivalent level of protection to that afforded within the EU, preventing any undermining of data subjects’ rights.

The DPC will specifically probe compliance with Article 5(2), which mandates accountability by requiring data controllers to demonstrate adherence to GDPR principles; Article 13(1)(f), which demands transparent information to users about transfers to third countries; Article 31, imposing a duty to cooperate fully with supervisory authorities; and the broader requirements of Chapter V.

Notably, China lacks an Adequacy Decision from the European Commission under Article 45(1) GDPR, unlike jurisdictions such as Japan, the Republic of Korea, or the United Kingdom, where data transfers are streamlined due to recognized equivalent protections.

In the absence of such a decision, TikTok, as the data controller, must rely on alternative safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to legitimize transfers.

According to the Report, these mechanisms obligate the controller to verify and guarantee that the recipient country’s legal framework and practices do not compromise data protection standards, including through risk assessments and supplementary measures as outlined in post-Schrems II jurisprudence.

The inquiry underscores the critical importance of these safeguards, as remote access or inadvertent storage in non-adequate jurisdictions could expose EEA users to risks such as unauthorized surveillance or hindered enforcement of rights like access and erasure.

By delving into these technical aspects, the DPC seeks to enforce robust data governance, potentially setting precedents for how global platforms handle cross-border data flows.

This case not only highlights TikTok’s accountability lapses but also serves as an engaging reminder of the GDPR’s role in empowering users amid the digital age’s complexities, encouraging companies to prioritize transparency and compliance for a more secure online ecosystem.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.