[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJCCYkLB0BL7WylZoe_exg5yVGw7TPx-LW_32R2EGApY":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"79e28738-3d5c-4aab-917e-148b3bcde76e","High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347","high-court-tiktok-technology-limited-v-data-protection-commission-2026-iehc-347-134aec","← Older revision Revision as of 09:26, 24 June 2026 Line 12: Line 12: |ECLI= |ECLI= |Original_Source_Name_1= |Original_Source_Name_1=Bailii |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Language_1=English |Original_Source_Language_1=English","The Irish High Court has partially overturned a decision against TikTok Technology Limited regarding unlawful data transfers to China. While the court upheld the Data Protection Commission's (DPC) finding that TikTok unlawfully transferred EEA user data to China, it revoked the transfer ban. This revocation was based on the DPC's failure to adequately assess technical changes made by TikTok, including Project Clover, which aimed to localize data and restrict access from China.","High Court revokes TikTok's data transfer ban to China but upholds DPC's finding of unlawful transfer.","Help High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:52, 17 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 editsTag: Visual edit← Older edit Latest revision as of 09:26, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 edits Line 12: Line 12: |ECLI=|ECLI= |Original_Source_Name_1=|Original_Source_Name_1=Bailii |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E|Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Language_1=English|Original_Source_Language_1=English Latest revision as of 09:26, 24 June 2026 High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 Court: High Court (Ireland) Jurisdiction: Ireland Relevant Law: Article 13(1)(f) GDPR Article 46(1) GDPR Article 83(2)(b) GDPR Decided: 03.06.2026 Published: 03.06.2026 Parties: TikTok Technology Limited TikTok Information Technologies UK Limited Data Protection Commission National Case Number\u002FName: TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 European Case Law Identifier: Appeal from: Data Protection CommissionIN-21-9-2 Appeal to: Unknown Original Language(s): English Original Source: Bailii (in English) Initial Contributor: bms A court upheld the DPC’s finding that TikTok unlawfully transferred EEA user data to China. However, it revoked the transfer ban because the DPC failed to properly assess TikTok’s technical changes. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts TikTok Technology Limited, the controller, and TikTok Information Technologies UK Limited appealed a decision of the Data Protection Commission, the DPA, before the High Court. The DPA had opened an own-volition inquiry into transfers of personal data of EEA users of the TikTok platform to China. The controller operated the TikTok platform in the EEA and allowed personnel of China-based group entities to remotely access certain EEA user data. The controller accepted that the data included personal data and that the remote access constituted a transfer under Chapter V GDPR. The controller relied on standard contractual clauses and supplementary measures. It argued that the personal data was stored outside China and only remotely accessed from China. On this basis, the controller claimed that Chinese public authorities could not compel access to the data because, under the territoriality principle in Chinese law, Chinese authorities had no power to access data stored outside China. The DPA considered that the controller had not sufficiently demonstrated that the relevant Chinese laws would not apply to the personal data while it was being processed by personnel in China. The DPA also considered that the controller had failed to properly assess whether the transferred data received a level of protection essentially equivalent to that guaranteed in the EEA. During the inquiry, the controller also introduced Project Clover. This was a set of measures intended to localise EEA user data in Europe, restrict access by China-based personnel and reduce the data flows still accessible from China. Under Project Clover, certain data would remain accessible by China-based personnel, but the controller argued that this data would be subject to additional privacy-enhancing measures, including pseudonymisation and differential privacy. The DPA found that the controller infringed Article 46(1) GDPR between 29 July 2020 and 17 May 2023. It also found that the controller infringed Article 13(1)(f) GDPR between 29 July 2020 and 1 December 2022, because its 2021 privacy policy did not identify the third countries to which personal data was transferred and did not properly explain the nature of the processing. The DPA imposed administrative fines totalling €530 million. It also ordered the controller to suspend the transfers and to bring its processing into compliance with the GDPR. The controller appealed the infringement findings, the fines and the corrective orders. Holding The Court largely dismissed the appeal. Unlawful international transfers to China First, the Court upheld the finding that the controller infringed Article 46(1) GDPR. The Court held that Chapter V GDPR requires a controller transferring personal data to a third country to verify that the data receives a level of protection essentially equivalent to that guaranteed in the EEA. The controller must also be able to demonstrate that assessment, in line with the accountability principle under Articles 5(2) and 24 GDPR. The Court rejected the controller’s argument that the DPA had reversed the burden of proof. The DPA did not have to prove that Chinese authorities would in fact access the personal data. Rather, the relevant question was whether the controller had adequately verified and demonstrated that the transferred personal data received the required level of protection. The Court also rejected the controller’s argument that the DPA had misinterpreted Schrems II. According to the Court, the DPA was entitled to assess whether the controller’s verification of the third-country legal framework and supplementary measures was adequate. Since the controller had not properly assessed the position of personal data processed by personnel in China, the DPA was entitled to find an infringement. Transparency obligations (Article 13(1)(f) GDPR) Second, the Court upheld the finding that the controller infringed Article 13(1)(f) GDPR. The Court held that the controller’s privacy policy should have identified the third countries to which personal data was transferred, including China. It should also have explained the nature of the processing. The Court considered that the 2021 privacy policy fell short of the GDPR’s transparency requirements. Negligence and entitlement to impose fines (Article 83 GDPR) Third, the Court upheld the DPA’s conclusion that the infringements were negligent under Article 83(2)(b) GDPR. The controller failed to comply with an obvious obligation under Article 46(1) GDPR and did not justify its misunderstanding of its obligations under Article 13(1)(f) GDPR. Therefore, the DPA was entitled to impose administrative fines. However, the Court left the controller’s appeal against the amount of the fines for a later judgment. Corrective measures Fourth, the Court assessed the corrective orders. It held that the DPA had not erred in law by considering whether a suspension order and processing order were necessary, appropriate and proportionate. The DPA was not required to make a further infringement finding before adopting corrective orders. However, the Court found that the DPA had not adequately assessed later evidence submitted by the controller. This included an updated Chinese law opinion and, in particular, the Project Clover measures. The Court accepted that Project Clover involved significant changes to the controller’s transfer model, including data localisation, access controls, reduced data flows and privacy-enhancing technologies. The Court held that the DPA had not sufficiently explained why the controller’s pseudonymisation and differential privacy measures were ineffective, or why they did not affect the need for a suspension order. In particular, the DPA had not properly assessed whether EEA users remained identifiable in the data still accessible by China-based perso","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=High_Court_-_TikTok_Technology_Limited_v_Data_Protection_Commission_(2026)_IEHC_347&diff=51984&oldid=51909","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-24T09:26:28+00:00","2026-06-24T10:00:13.856115+00:00",7,[18],{"name":19,"type":20},"TikTok","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]