The social media giant was recently fined €530m by the Irish privacy regulator, but could now be in line for more financial punishment
It comes just weeks after the DPC fined TikTok €530m for improper data transfers outside the EU, a fine that the tech company is appealing
The new inquiry is a follow-up investigation after the Chinese-owned company told the DPC during its initial two-year probe that it had not held any EU users’ personal information on servers in China.
But just before the regulator’s €530m fine was to be published, and too late for it to be considered as evidence, TikTok informed the regulator that a “limited” amount of personal user data had been “discovered” to be on Chinese servers, two years after its own €11bn Project Clover initiative to ringfence EU and US user data came into effect.
”The [initial] DPC decision, which was issued following the inquiry cooperation procedure with peer EU regulators under the GDPR One Stop Shop mechanism, expressed its deep concern that TikTok had submitted inaccurate information to that inquiry,” the Irish regulator said in a statement.
”In its press release issued at the time of the conclusion of that inquiry, the DPC stated that it was taking those developments very seriously and was considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities. As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok.”
The regulator said that the purpose of the new inquiry is to “determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers pursuant to Chapter V of the GDPR”.
“The inquiry follows on from the DPC’s decision of 30 April 2025, which also considered TikTok’s transfers of EEA users’ personal data to China under a separate inquiry,” the regulator said.
”However, during that previous inquiry, TikTok maintained that transfers of EEA users’ personal data to China took place by way of remote access only and that EEA user data were not stored on servers located within China.
“[But] in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025, namely that limited EEA user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the previous inquiry.”
On the question of the Chinese servers, TikTok says that the fact it found the data on Chinese servers shows that its Project Clover initiative works.
“This shows Clover is working as intended to protect EU user data,” a TikTok spokesperson told the Irish Independent in May.
“Our teams proactively discovered the issue through the comprehensive monitoring system TikTok implemented under Project Clover. We acted immediately by deleting the data, updating our systems and promptly informing the DPC.”
TikTok’s US ban has been delayed until September, with US President Trump saying he hopes to have found a US buyer before then.
source