Irish court instructs regulator to reassess the ban on TikTok's data transfer to China.
The High Court affirmed TikTok’s liability under GDPR and upheld its €530 million fine, but it returned the decision to suspend transfers to China to the regulator for further examination. TikTok lost the most critical aspect of the case but gained some leeway regarding other issues.
Ireland's High Court confirmed the Data Protection Commission's determination that TikTok violated EU privacy laws by transferring data of European users to China, maintaining the accompanying €530 million fine. However, the court directed the regulator to reassess the corrective action aimed at halting those data transfers, a concern of greater commercial importance to TikTok.
In a ruling delivered in early June, the liability issue was resolved. The court dismissed TikTok’s argument that the Data Protection Commission had incorrectly applied EU regulations relating to international data transfers, thereby supporting the essence of the regulator's investigation into how data from users in the European Economic Area was transferred to China.
The central issue of whether TikTok breached the law was answered affirmatively. However, the practical implications are somewhat more favorable for the company. By instructing the Data Protection Commission to reconsider the suspension order on future transfers, TikTok can continue transferring European data to China while the regulator deliberates on the imposition of the ban.
A finding of misconduct that does not result in an immediate cessation of the activity serves as a partial reprieve, which TikTok is utilizing. Additionally, the €530 million penalty is not necessarily final; the court indicated it would review TikTok’s appeal concerning the penalty's magnitude, leaving both the corrective measures and the financial penalty open for additional discussion despite the resolution of the company's liability.
In essence, the case has been determined in principle, but its outcomes remain unresolved, creating a complicated situation for all parties involved. The dispute touches on a sensitive aspect of the broader TikTok narrative: the persistent concern among Western governments that data on users in Europe and America might be accessible to the Chinese government.
TikTok has repeatedly denied any improper access to its data and has invested significantly in localizing its data storage, establishing data centers in Dublin and elsewhere in Europe through an initiative called Project Clover, aimed at ensuring that this information remains within European borders.
The Irish case concerns the transfers that occurred nonetheless, and the legal obligations resulting from them. The original DPC decision was clarified by a later admission; TikTok, which had previously asserted that it did not store European data on servers in China, revealed in 2025 that some limited data from EEA users had indeed been stored there, contradicting prior commitments to the regulator.
The regulator in question has a contentious record. The Irish Data Protection Commission oversees GDPR compliance for the numerous tech companies that have established their European headquarters in Dublin, a concentration that has made it a de facto enforcer of EU privacy legislation, drawing ongoing criticism for being overly lenient towards the companies it regulates.
A court instructing the DPC to revisit a stringent corrective measure will likely not silence those critics. The context is intensified by the fact that Ireland has recently assumed the rotating presidency of the EU Council, granting it considerable influence over the bloc's direction during a period when its management of Big Tech enforcement faces scrutiny.
The TikTok ruling serves as a live illustration of the tension between Ireland’s role as a haven for tech giants and its regulatory responsibilities. The next steps will depend on the Data Protection Commission, which must now re-evaluate the suspension order as per the court's mandate, while TikTok’s challenge regarding the fine remains to be addressed.
Liability has been affirmed and the principle established: transferring EEA data to China, as TikTok did, is against the law. What remains uncertain is the penalty's final amount and whether the transfers will indeed be halted, the two issues that TikTok has the greatest incentive to continue contesting.
Other articles
Irish court instructs regulator to reassess the ban on TikTok's data transfer to China.
Ireland's High Court confirmed TikTok's GDPR liability along with its €530 million fine, while directing the Data Protection Commission (DPC) to reevaluate the decision to suspend data transfers to China.
