High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347
High Court upholds finding that TikTok's international data transfers to China were unlawful under GDPR.
Summary
The Irish High Court largely dismissed TikTok Technology Limited's appeal against the Data Protection Commission (DPC). The court upheld the finding that TikTok infringed Article 46(1) GDPR by unlawfully transferring personal data to China, as the company failed to adequately verify the level of protection afforded to the data. The court also found TikTok infringed transparency obligations under Article 13(1)(f) GDPR for not properly identifying data transfer destinations and processing nature in its privacy policy. While the court confirmed the DPC's entitlement to impose fines, it vacated the order suspending data transfers, remitting the matter for reassessment.
Full text
Help High Court - TikTok Technology Limited v Data Protection Commission (2026) IEHC 347: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:22, 17 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsTag: Visual edit← Older edit Latest revision as of 08:52, 17 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsTag: Visual edit Line 91: Line 91: === Holding ====== Holding === The Court largely dismissed the appeal.The Court largely dismissed the appeal. '''Unlawful international transfers to China''' First, the Court upheld the finding that the controller infringed [[Article 46 GDPR#1|Article 46(1) GDPR]]. The Court held that Chapter V GDPR requires a controller transferring personal data to a third country to verify that the data receives a level of protection essentially equivalent to that guaranteed in the EEA. The controller must also be able to demonstrate that assessment, in line with the accountability principle under Articles 5(2) and 24 GDPR.First, the Court upheld the finding that the controller infringed [[Article 46 GDPR#1|Article 46(1) GDPR]]. The Court held that Chapter V GDPR requires a controller transferring personal data to a third country to verify that the data receives a level of protection essentially equivalent to that guaranteed in the EEA. The controller must also be able to demonstrate that assessment, in line with the accountability principle under Articles 5(2) and 24 GDPR. Line 96: Line 98: The Court rejected the controller’s argument that the DPA had reversed the burden of proof. The DPA did not have to prove that Chinese authorities would in fact access the personal data. Rather, the relevant question was whether the controller had adequately verified and demonstrated that the transferred personal data received the required level of protection.The Court rejected the controller’s argument that the DPA had reversed the burden of proof. The DPA did not have to prove that Chinese authorities would in fact access the personal data. Rather, the relevant question was whether the controller had adequately verified and demonstrated that the transferred personal data received the required level of protection. The Court also rejected the controller’s argument that the DPA had misinterpreted Schrems II. According to the Court, the DPA was entitled to assess whether the controller’s verification of the third-country legal framework and supplementary measures was adequate. Since the controller had not properly assessed the position of personal data processed by personnel in China, the DPA was entitled to find an infringement.The Court also rejected the controller’s argument that the DPA had misinterpreted Schrems II. According to the Court, the DPA was entitled to assess whether the controller’s verification of the third-country legal framework and supplementary measures was adequate. Since the controller had not properly assessed the position of personal data processed by personnel in China, the DPA was entitled to find an infringement. '''Transparency obligations (Article 13(1)(f) GDPR)''' Second, the Court upheld the finding that the controller infringed [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]. The Court held that the controller’s privacy policy should have identified the third countries to which personal data was transferred, including China. It should also have explained the nature of the processing. The Court considered that the 2021 privacy policy fell short of the GDPR’s transparency requirements.Second, the Court upheld the finding that the controller infringed [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]. The Court held that the controller’s privacy policy should have identified the third countries to which personal data was transferred, including China. It should also have explained the nature of the processing. The Court considered that the 2021 privacy policy fell short of the GDPR’s transparency requirements. '''Negligence and entitlement to impose fines (Article 83 GDPR)''' Third, the Court upheld the DPA’s conclusion that the infringements were negligent under [[Article 83 GDPR#2b|Article 83(2)(b) GDPR]]. The controller failed to comply with an obvious obligation under [[Article 46 GDPR#1|Article 46(1) GDPR]] and did not justify its misunderstanding of its obligations under [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]. Therefore, the DPA was entitled to impose administrative fines. However, the Court left the controller’s appeal against the amount of the fines for a later judgment.Third, the Court upheld the DPA’s conclusion that the infringements were negligent under [[Article 83 GDPR#2b|Article 83(2)(b) GDPR]]. The controller failed to comply with an obvious obligation under [[Article 46 GDPR#1|Article 46(1) GDPR]] and did not justify its misunderstanding of its obligations under [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]. Therefore, the DPA was entitled to impose administrative fines. However, the Court left the controller’s appeal against the amount of the fines for a later judgment. '''Corrective measures''' Fourth, the Court assessed the corrective orders. It held that the DPA had not erred in law by considering whether a suspension order and processing order were necessary, appropriate and proportionate. The DPA was not required to make a further infringement finding before adopting corrective orders.Fourth, the Court assessed the corrective orders. It held that the DPA had not erred in law by considering whether a suspension order and processing order were necessary, appropriate and proportionate. The DPA was not required to make a further infringement finding before adopting corrective orders. Line 106: Line 114: The Court held that the DPA had not sufficiently explained why the controller’s pseudonymisation and differential privacy measures were ineffective, or why they did not affect the need for a suspension order. In particular, the DPA had not properly assessed whether EEA users remained identifiable in the data still accessible by China-based personnel under Project Clover. The Court noted that pseudonymised data is not automatically non-personal data, but it is also not necessarily personal data in every context. This required a reasoned assessment.The Court held that the DPA had not sufficiently explained why the controller’s pseudonymisation and differential privacy measures were ineffective, or why they did not affect the need for a suspension order. In particular, the DPA had not properly assessed whether EEA users remained identifiable in the data still accessible by China-based personnel under Project Clover. The Court noted that pseudonymised data is not automatically non-personal data, but it is also not necessarily personal data in every context. This required a reasoned assessment. '''Outcome''' The Court therefore upheld the finding that the controller’s transfers to China were unlawful under [[Article 46 GDPR#1|Article 46(1) GDPR]] and confirmed that the DPA was entitled to impose administrative fines. However, it vacated the DPA’s order requiring the suspension of the transfers, as well as the related processing order. The matter was remitted to the DPA, which must reassess whether corrective measures remain necessary and proportionate in light of Project Clover and the other later evidence.The Court therefore upheld the finding that the controller’s transfers to China were unlawful under [[Article 46 GDPR#1|Article 46(1) GDPR]] and confirmed that the DPA was entitled to impose administrative fines. However, it vacated the DPA’s order requiring the suspension of the transfers, as well as the related processing order. The matter was remitted to the DPA, which must reassess whether corrective measures remain necessary and proportionate in light of Project Clover and the other