Ireland’s Data Protection Commission (DPC), which oversees TikTok in the EU since its European HQ is in Dublin, said the app wasn’t transparent enough about where user data was being sent and didn’t do enough to protect it from access by Chinese staff. TikTok has six months to fix the issues.
TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
– Deputy Commissioner Graham Doyle, May 2025
TikTok isn’t backing down, though. The company said it plans to appeal, arguing that the ruling ignores its new €12 billion data protection initiative, Project Clover. That includes building three data centers in Europe and putting stronger controls in place since May 2023.
The decision fails to fully consider Project Clover, our €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere. It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place.
–Christine Grahn, Head of Public Policy & Government Relations – Europe, May 2025
TikTok also said it has never been asked by Chinese authorities to hand over European user data – and it never has.
(TikTok) has never provided European user data to them [the Chinese authorities]. We disagree with this decision and intend to appeal it in full.
