Subscribe
It is also not TikTok’s first clash with the DPC. In September 2023, the regulator fined the platform €345 million for GDPR violations related to children’s data, citing public-by-default account settings for users aged 13 to 17 and inadequate age verification. TikTok challenged that decision in the Irish High Court, arguing the fine was disproportionate, but the outcome remains pending.
Speaking on the decision, DPC Deputy Commissioner Graham Doyle highlighted that TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
These failures were compounded by what the DPC says was erroneous information submitted during its inquiries. The DPC further noted that throughout its inquiry, TikTok informed the DPC that it did not store EEA User Data on servers located in China.
However, in April 2025, it emerged that TikTok informed the DPC that it had discovered in February 2025 instances where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the DPC inquiry.
The DPC’s move is likely to intensify existing geopolitical tensions between the EU and China. While the decision is officially grounded in technical GDPR violations, its timing and focus on Chinese access risks reinforce perceptions that enforcement is increasingly shaped by strategic considerations beyond privacy law. Critics argue that data protection, while a legitimate regulatory concern, is being wielded as a proxy instrument in a broader contest over technological sovereignty and influence.
Political reaction from Ireland’s opposition party the Social Democrats has been swift. Its spokesperson on digitalisation, who is also a former head of Ireland’s Human Rights and Equality Commission, Sinead Gibney, welcomed the ruling by the DPC. According to Gibney, the penalty is a reminder to social media companies that they will pay a very high price for breaching their users’ GDPR rights. Gibney also noted that it is vital that Ireland’s laws and regulations robustly defend rights to privacy and protection of data. Ireland’s MEP from the Fianna Fail party, Billy Kelleher, was also quick to defend the DPC. In a post on X, the MEP used the outcome to push back against politicians claiming that EU Digital Services Act and Personal Data Protection regulations are onerous. Very large online platforms must be regulated, he said, to protect individuals and society, and the EU will protect citizens.
There is also a sense, however, that the extraordinary size of the penalty levied by the DPC and the grounds upon which it based its decision may yet prove to be something of a double-edged sword. There is also no clear indication that the DPC’s approach and the fines it levies will do anything to materially alter TikTok’s practices, given its parent company, ByteDance’s deep pockets. TikTok’s ad revenue worldwide is projected to reach $33.1 billion in 2025, representing a 40.5 percent increase from 2024. This will allow it to pursue the case through Irish courts for years, therefore delaying compliance, much like Meta’s ongoing legal battles over its €1.2 billion fine.
This has drawn unease from within EU policy circles. Several digital policy analysts have warned that the EU’s fragmented approach to enforcement, with harsher treatment of TikTok and more lenient responses to EU-based violators, risks politicising GDPR itself. If enforcement appears inconsistent or targeted along geopolitical lines, the regulation may lose its credibility as a neutral legal instrument and begin to function instead as a tool of economic pressure. For multinationals, this introduces regulatory uncertainty that extends far beyond data law.
Moreover, the DPC’s focus on TikTok raises questions about consistency. Thousands of companies rely on similar data transfer mechanisms, yet TikTok’s Chinese ownership makes it a lightning rod for scrutiny, potentially exposing the EU to accusations of selective enforcement.
Meanwhile, there is growing frustration among legal scholars that the DPC’s dual posture as both enforcer and host regulator for many global tech firms remains unresolved. Ireland’s position as the de facto data regulator for the EU’s largest platforms, due to the companies’ Dublin headquarters, places it in a structurally conflicted role, balancing aggressive enforcement with the need to maintain its attractiveness as a hub for foreign investment. Legal scholars argue that this tension, if left unresolved, could expose Ireland to accusations of either regulatory capture or overreach, depending on the case. As the DPC continues its zealous pursuit of GDPR compliance, the delicate balance between protecting privacy rights and sustaining Ireland’s economic competitiveness remains under strain.
Consideration also has to be given to the fact that Ireland’s economy has thrived as a hub for tech giants like Meta, Google and TikTok, largely due to its favourable tax regime, English-speaking workforce and historically business-friendly regulatory environment.
It may not be long, however, before the DPC’s zealous pursuit of GDPR enforcement threatens to erode this competitive advantage.
Critics, including industry voices, have long argued that excessive fines and regulatory scrutiny could deter future investment. For example, in 2014, Facebook’s Sheryl Sandberg warned Irish officials that overly strict regulation could prompt companies to revisit their investment strategies in the EU.
Finally, it should be noted that TikTok immediately issued a robust rejection of the DPC findings. In doing so it highlighted that the ruling could have EU-wide consequences as, in the company’s view, it risks setting a precedent for companies and entire industries across Europe that operate on a global scale. The statement also conveyed TikTok’s view that the ruling delivers a blow to the European Union’s competitiveness.
Christine Grahn, Head of TikTok’s Public Policy and Government Relations in Europe, specifically attacked the DPC ruling on the grounds that it failed to fully consider Project Clover, TikTok’s €12 billion industry-leading data security initiative that, according to the company, includes some of the most stringent data protections anywhere.
TikTok accused the DPC of instead focusing on a select period from years ago, prior to Clover’s 2023 implementation, a focus that does not reflect the safeguards now in place.
Additional points of criticism made against Ireland’s DPC include the fact that the DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities and has never provided European user data to them.
TikTok says it disagrees with the decision and plans to appeal the decision in full.