[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh0MoRB3Bg3oJhUH3WvgjslPZjuO7TZAcQNBCbvoVUmQ":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"6b202933-2748-4259-9227-cec38f5b4f5e","High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347","high-court-tiktok-technology-limited-v-data-protection-commission-2026-iehc-347-e1f449","← Older revision Revision as of 08:11, 17 June 2026 Line 12: Line 12: |ECLI= |ECLI= |Original_Source_Name_1=Linkedin |Original_Source_Name_1= |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Language_1=English |Original_Source_Language_1=English Line 70: Line 70: }} }} The High Court found that TikTok’s transfers of EEA user data to China breached [[Article 46 GDPR|Article 46 GDPR]]. It upheld the fines in principle, but vacated the suspension order because the DPC had not properly assessed Project Clover and whether users remained identifiable in data accessible from China. A court upheld the DPC’s finding that TikTok unlawfully transferred EEA user data to China and confirmed the DPC’s entitlement to impose a €530 million fine. However, it revoked the transfer ban because the DPC failed to properly assess TikTok’s technical changes. == English Summary == == English Summary ==","The Irish High Court has ruled that TikTok unlawfully transferred EEA user data to China, breaching Article 46 of the GDPR. While upholding the Data Protection Commission's (DPC) decision to impose a €530 million fine in principle, the court revoked the transfer ban. This revocation was due to the DPC's failure to adequately assess TikTok's technical changes, specifically 'Project Clover,' and whether user data remained identifiable when accessed from China.","High Court upholds TikTok fine for unlawful data transfers to China but revokes transfer ban.","Help High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:33, 16 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 edits Tag: submission [1.0] Revision as of 08:11, 17 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsTag: Visual editNewer edit → Line 12: Line 12: |ECLI=|ECLI= |Original_Source_Name_1=Linkedin|Original_Source_Name_1= |Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E|Original_Source_Link_1=https:\u002F\u002Fmedia.licdn.com\u002Fdms\u002Fdocument\u002Fmedia\u002Fv2\u002FD4E1FAQEu5NQOLfg3Uw\u002Ffeedshare-document-pdf-analyzed\u002FB4EZ64ivSAJYAY-\u002F0\u002F1781212581102?e=1782345600&v=beta&t=KhMCakoA-T4ShUP4nmpz46xGWizXu_iZxQuC21whW9E |Original_Source_Language_1=English|Original_Source_Language_1=English Line 70: Line 70: }}}} The High Court found that TikTok’s transfers of EEA user data to China breached [[Article 46 GDPR|Article 46 GDPR]]. It upheld the fines in principle, but vacated the suspension order because the DPC had not properly assessed Project Clover and whether users remained identifiable in data accessible from China.A court upheld the DPC’s finding that TikTok unlawfully transferred EEA user data to China and confirmed the DPC’s entitlement to impose a €530 million fine. However, it revoked the transfer ban because the DPC failed to properly assess TikTok’s technical changes. == English Summary ==== English Summary == Revision as of 08:11, 17 June 2026 High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 Court: High Court (Ireland) Jurisdiction: Ireland Relevant Law: Article 13(1)(f) GDPR Article 46(1) GDPR Article 83(2)(b) GDPR Decided: 03.06.2026 Published: 03.06.2026 Parties: TikTok Technology Limited TikTok Information Technologies UK Limited Data Protection Commission National Case Number\u002FName: TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 European Case Law Identifier: Appeal from: Data Protection CommissionIN-21-9-2 Appeal to: Unknown Original Language(s): English Original Source: (in English) Initial Contributor: bms A court upheld the DPC’s finding that TikTok unlawfully transferred EEA user data to China and confirmed the DPC’s entitlement to impose a €530 million fine. However, it revoked the transfer ban because the DPC failed to properly assess TikTok’s technical changes. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts TikTok Technology Limited, the controller, and TikTok Information Technologies UK Limited appealed a decision of the Data Protection Commission, the DPA, before the High Court. The DPA had opened an own-volition inquiry into transfers of personal data of EEA users of the TikTok platform to China. The controller operated the TikTok platform in the EEA and allowed personnel of China-based group entities to remotely access certain EEA user data. The controller accepted that the data included personal data and that the remote access constituted a transfer under Chapter V GDPR. The controller relied on standard contractual clauses and supplementary measures. It argued that the personal data was stored outside China and only remotely accessed from China. On this basis, the controller claimed that Chinese public authorities could not compel access to the data because, under the territoriality principle in Chinese law, Chinese authorities had no power to access data stored outside China. The DPA considered that the controller had not sufficiently demonstrated that the relevant Chinese laws would not apply to the personal data while it was being processed by personnel in China. The DPA also considered that the controller had failed to properly assess whether the transferred data received a level of protection essentially equivalent to that guaranteed in the EEA. During the inquiry, the controller also introduced Project Clover. This was a set of measures intended to localise EEA user data in Europe, restrict access by China-based personnel and reduce the data flows still accessible from China. Under Project Clover, certain data would remain accessible by China-based personnel, but the controller argued that this data would be subject to additional privacy-enhancing measures, including pseudonymisation and differential privacy. The DPA found that the controller infringed Article 46(1) GDPR between 29 July 2020 and 17 May 2023. It also found that the controller infringed Article 13(1)(f) GDPR between 29 July 2020 and 1 December 2022, because its 2021 privacy policy did not identify the third countries to which personal data was transferred and did not properly explain the nature of the processing. The DPA imposed administrative fines totalling €530 million. It also ordered the controller to suspend the transfers and to bring its processing into compliance with the GDPR. The controller appealed the infringement findings, the fines and the corrective orders. Holding The Court largely dismissed the appeal. First, the Court upheld the finding that the controller infringed Article 46(1) GDPR. The Court held that Chapter V GDPR requires a controller transferring personal data to a third country to verify that the data receives a level of protection essentially equivalent to that guaranteed in the EEA. The controller must also be able to demonstrate that assessment, in line with the accountability principle under Articles 5(2) and 24 GDPR. The Court rejected the controller’s argument that the DPA had reversed the burden of proof. The DPA did not have to prove that Chinese authorities would in fact access the personal data. Rather, the relevant question was whether the controller had adequately verified and demonstrated that the transferred personal data received the required level of protection. The Court also rejected the controller’s argument that the DPA had misinterpreted Schrems II. According to the Court, the DPA was entitled to assess whether the controller’s verification of the third-country legal framework and supplementary measures was adequate. Since the controller had not properly assessed the position of personal data processed by personnel in China, the DPA was entitled to find an infringement. Second, the Court upheld the finding that the controller infringed Article 13(1)(f) GDPR. The Court held that the controller’s privacy policy should have identified the third countries to which personal data was transferred, including China. It should also have explained the nature of the processing. The Court considered that the 2021 privacy policy fell short of the GDPR’s transparency requirements. Third, the Court upheld the DPA’s conclusion that the infringements were negligent under Article 83(2)(b) GDPR. The controller failed to comply with an obvious obligation under Article 46(1) GDPR and did not justify its misunderstanding of its obligations under Article 13(1)(f) GDPR. Therefore, the DPA was entitled to impose administrative fines. However, the Court left the controller’s appeal against the amount of the fines for a later judgment. Fourth, the Court assessed the corrective orders. It held that the DPA had not erred in law by considering whether a suspension order and processing order were necessary, appropriate and proportionate. The DPA was not required to make a further infringement finding before adopting corrective orders. However, the Court found that the DPA had not adequately assessed later evidence submitted by the controller. This included an updated Chinese law opinion and, in particular, the Project Clover measures. The Court accep","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=High_Court_-_TikTok_Technology_Limited_v_Data_Protection_Commission_(2026)_IEHC_347&diff=51900&oldid=51880","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-06-17T08:11:09+00:00","2026-06-17T10:00:11.63713+00:00",7,[18,21,24],{"name":19,"type":20},"TikTok","product",{"name":22,"type":23},"TikTok Technology Limited","vendor",{"name":25,"type":23},"TikTok Information Technologies UK Limited","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":26,"icon":28,"name":29,"slug":30},null,"Policy","policy",[32,37,42,44],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":38},{"id":39,"icon":28,"name":40,"slug":41},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":43},{"id":26,"icon":28,"name":29,"slug":30},{"category":45},{"id":46,"icon":28,"name":47,"slug":48},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]