High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347

Summary

The High Court of Ireland ruled that TikTok Technology Limited breached GDPR by transferring EEA user data to China. The court upheld the principle of fines imposed by the Data Protection Commission but vacated the suspension order, stating the DPC did not properly assess TikTok's 'Project Clover' measures and user data identifiability from China. TikTok had argued that Chinese authorities could not compel access to data stored outside China, but the DPC found insufficient demonstration that relevant Chinese laws would not apply.

Full text

Help High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:33, 16 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators76 edits Tag: submission [1.0] (No difference) Latest revision as of 09:33, 16 June 2026 High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 Court: High Court (Ireland) Jurisdiction: Ireland Relevant Law: Article 13(1)(f) GDPR Article 46(1) GDPR Article 83(2)(b) GDPR Decided: 03.06.2026 Published: 03.06.2026 Parties: TikTok Technology Limited TikTok Information Technologies UK Limited Data Protection Commission National Case Number/Name: TikTok Technology Limited v Data Protection Commission (2026) IEHC 347 European Case Law Identifier: Appeal from: Data Protection CommissionIN-21-9-2 Appeal to: Unknown Original Language(s): English Original Source: Linkedin (in English) Initial Contributor: bms The High Court found that TikTok’s transfers of EEA user data to China breached Article 46 GDPR. It upheld the fines in principle, but vacated the suspension order because the DPC had not properly assessed Project Clover and whether users remained identifiable in data accessible from China. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts TikTok Technology Limited, the controller, and TikTok Information Technologies UK Limited appealed a decision of the Data Protection Commission, the DPA, before the High Court. The DPA had opened an own-volition inquiry into transfers of personal data of EEA users of the TikTok platform to China. The controller operated the TikTok platform in the EEA and allowed personnel of China-based group entities to remotely access certain EEA user data. The controller accepted that the data included personal data and that the remote access constituted a transfer under Chapter V GDPR. The controller relied on standard contractual clauses and supplementary measures. It argued that the personal data was stored outside China and only remotely accessed from China. On this basis, the controller claimed that Chinese public authorities could not compel access to the data because, under the territoriality principle in Chinese law, Chinese authorities had no power to access data stored outside China. The DPA considered that the controller had not sufficiently demonstrated that the relevant Chinese laws would not apply to the personal data while it was being processed by personnel in China. The DPA also considered that the controller had failed to properly assess whether the transferred data received a level of protection essentially equivalent to that guaranteed in the EEA. During the inquiry, the controller also introduced Project Clover. This was a set of measures intended to localise EEA user data in Europe, restrict access by China-based personnel and reduce the data flows still accessible from China. Under Project Clover, certain data would remain accessible by China-based personnel, but the controller argued that this data would be subject to additional privacy-enhancing measures, including pseudonymisation and differential privacy. The DPA found that the controller infringed Article 46(1) GDPR between 29 July 2020 and 17 May 2023. It also found that the controller infringed Article 13(1)(f) GDPR between 29 July 2020 and 1 December 2022, because its 2021 privacy policy did not identify the third countries to which personal data was transferred and did not properly explain the nature of the processing. The DPA imposed administrative fines totalling €530 million. It also ordered the controller to suspend the transfers and to bring its processing into compliance with the GDPR. The controller appealed the infringement findings, the fines and the corrective orders. Holding The Court largely dismissed the appeal. First, the Court upheld the finding that the controller infringed Article 46(1) GDPR. The Court held that Chapter V GDPR requires a controller transferring personal data to a third country to verify that the data receives a level of protection essentially equivalent to that guaranteed in the EEA. The controller must also be able to demonstrate that assessment, in line with the accountability principle under Articles 5(2) and 24 GDPR. The Court rejected the controller’s argument that the DPA had reversed the burden of proof. The DPA did not have to prove that Chinese authorities would in fact access the personal data. Rather, the relevant question was whether the controller had adequately verified and demonstrated that the transferred personal data received the required level of protection. The Court also rejected the controller’s argument that the DPA had misinterpreted Schrems II. According to the Court, the DPA was entitled to assess whether the controller’s verification of the third-country legal framework and supplementary measures was adequate. Since the controller had not properly assessed the position of personal data processed by personnel in China, the DPA was entitled to find an infringement. Second, the Court upheld the finding that the controller infringed Article 13(1)(f) GDPR. The Court held that the controller’s privacy policy should have identified the third countries to which personal data was transferred, including China. It should also have explained the nature of the processing. The Court considered that the 2021 privacy policy fell short of the GDPR’s transparency requirements. Third, the Court upheld the DPA’s conclusion that the infringements were negligent under Article 83(2)(b) GDPR. The controller failed to comply with an obvious obligation under Article 46(1) GDPR and did not justify its misunderstanding of its obligations under Article 13(1)(f) GDPR. Therefore, the DPA was entitled to impose administrative fines. However, the Court left the controller’s appeal against the amount of the fines for a later judgment. Fourth, the Court assessed the corrective orders. It held that the DPA had not erred in law by considering whether a suspension order and processing order were necessary, appropriate and proportionate. The DPA was not required to make a further infringement finding before adopting corrective orders. However, the Court found that the DPA had not adequately assessed later evidence submitted by the controller. This included an updated Chinese law opinion and, in particular, the Project Clover measures. The Court accepted that Project Clover involved significant changes to the controller’s transfer model, including data localisation, access controls, reduced data flows and privacy-enhancing technologies. The Court held that the DPA had not sufficiently explained why the controller’s pseudonymisation and differential privacy measures were ineffective, or why they did not affect the need for a suspension order. In particular, the DPA had not properly assessed whether EEA users remained identifiable in the data still accessible by China-based personnel under Project Clover. The Court noted that pseudonymised data is not automatically non-personal data, but it is also not necessarily personal data in every context. This required a reasoned assessment. The Court therefore upheld the finding that the controller’s transfers to China were unlawful under Article 46(1) GDPR and confirmed that the DPA was entitled to impose administrative fines. However, it vacated the DPA’s order requiring the suspension of the transfers, as well as the related processing order. The matter was remitted to the DPA, which must reassess whether corrective measures remain necessary and proportionate in light of Project Clover and the other later evidence. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The

Entities