The Irish Data Protection Commissioner (DPC), known as the principal privacy watchdog for TikTok’s parent company ByteDance, has opened a new investigation into TikTok’s handling of personal data from EU users transferring their information to servers located in China. The DPC declared that it has noticed new evidence after months of uncertainty, which could invalidate its previous findings about whether TikTok complied with the General Data Protection Regulation (GDPR) as required by the Data Protection Act, which applies to data transfers by EU Services Operators to third parties.
First, the DPC stated that TikTok claimed any data transfers from EU users to China occurred via remote access only and that such data was never stored on servers in China. However, the DPC identified in February 2025 that a limited amount of EU personal data had been stored in China, contrary to the assertions of TikTok’s transparency.
The DPC stressed that it remains concerned about the accuracy of the information provided by TikTok and engaged in a conference with other advisory bodies to determine the appropriate regulatory actions. This new inquiry is crucial, as it would directly affect the well-being of EU users who may come to depend on TikTok, which has now been楙requirements to ensure that their personal data is protected under GDPR.
Speaking to the study, the DPC noted that the Investorsregistration System (INIS) is now impaired by the move, as a third party has accessed and transferred data to China, while EU users retain the right to loi to inform the DPC and prevent a callback. The decision tofund the investigation was also conditional on the outcomes of the consequence of the Data Protection Act litigation involving TikTok and ByteDance.
The DPC’s general approach was to verify the true nature of the data transfers and assess whether it was possible that EU users had suffered as a result of these actions. However, the DPC reiterate that it remains committed to enforcing GDPR and ensuring that EU users’ data is protected in accordance with both the obligations under the DPA and the GDPR.
