A recent investigation by Euractiv reveals that TikTok is under a new European Union privacy probe concerning the transfer and storage of European user data in China. This fresh inquiry follows a prior investigation by the Irish Data Protection Commission (DPC), which fined TikTok €530 million ($620 million) in May 2025 for illegally transferring personal data of EU users to China, violating the EU’s General Data Protection Regulation (GDPR).
The new probe was triggered after TikTok disclosed in April 2025 that a limited amount of European Economic Area (EEA) user data had been stored on servers in China—contradicting earlier claims by the company that no such storage occurred. This revelation raised serious concerns about TikTok providing inaccurate information during the initial investigation.
The Irish regulator, which acts as TikTok’s lead data privacy authority in the EU due to the company’s European headquarters in Dublin, has expressed "deep concern" over TikTok’s handling of data and is considering further regulatory actions. The investigation highlights the risks posed by Chinese laws that could compel TikTok to grant Chinese authorities access to European user data, a situation deemed incompatible with EU data protection standards.
TikTok has denied ever receiving requests from Chinese authorities for European user data and is appealing the May fine. The company also points to its ongoing "Project Clover," an initiative to localize European user data within EU-based data centers with enhanced security and independent oversight, which it says was not fully considered in the regulator’s ruling.
Euractiv's coverage underscores the broader geopolitical and privacy concerns surrounding TikTok, a platform owned by the Chinese company ByteDance, as EU regulators intensify scrutiny over data security and sovereignty in digital services.
In summary, the Euractiv investigation highlights that TikTok is facing renewed EU regulatory pressure due to undisclosed storage of EU user data in China, following a record fine and ongoing doubts about the company’s transparency and compliance with European data protection laws. The case illustrates the complex challenges of managing cross-border data flows amid rising tensions over privacy and national security in the digital age.