TikTok sues Ireland’s data protection watchdog over €530m penalty from regulator

Neither TikTok nor the DPC had responded to a request for comment at the time of publication.

A judicial review relates to the courts reviewing the correctness or otherwise in law of a decision made by an organ of the State, be it a Government Department or a semi-state agency.

The suit is understood to relate directly to the DPC’s decision to hand the enormous fine to TikTok over the transfer of users’ personal data from Europe to China.

Issuing that decision on May 2, the DPC told the Chinese-owned firm that it had breached Europe’s General Data Protection Regulation (GDPR) over the transfer of data to China and its own transparency requirements.

The DPC said at the time that the fine —  the second largest issued under GDPR in the DPC’s history — had resulted from the company having “failed to verify, guarantee and demonstrate that the personal data of European Economic Area users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU”.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards,” the DPC’s deputy commissioner Graham Doyle said at the time.

The administrative fine of €530m was accompanied by a direction requiring TikTok to bring its processing into compliance within six months.

The company was also ordered to suspend transfers to China if the way it processes data is not brought into compliance over the same timeframe.

Throughout the inquiry into TikTok the DPC had said that the company had maintained that it did not store data from users in the European Economic Area on servers located in China.

In April, however, TikTok informed the DPC that it had discovered “limited” European data had been stored on servers in China. The company said it had identified this in February.

TikTok informed the DPC that this discovery “meant that TikTok had provided inaccurate information to the inquiry”.

Earlier this month the DPC said that it is taking recent developments regarding the storage of EEA User Data on servers in China “very seriously”.

“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities,” Mr Doyle said at the time.

In 2023, the Commission fined TikTok €345m after an investigation into how the platform processed children’s data.