Ireland’s Data Protection Commission (DPC) has opened a second investigation into TikTok, zeroing in on its storage of European users’ data on servers in China.
This new probe follows TikTok’s own disclosure in April 2025 that a “limited amount” of European user data had been stored on Chinese servers.
That admission directly contradicts what the platform, owned by China’s ByteDance, had told regulators during an earlier four-year investigation, where it repeatedly claimed no EU data was stored in China.
Now, the DPC is going back in, focusing specifically on this storage issue, which was not addressed in its previous investigation. The timing and scope of this latest development signal growing distrust, especially given TikTok’s shifting account of how it manages personal data across borders.
The company is already appealing a €530 million fine imposed in May 2025 for violations of the EU’s General Data Protection Regulation (GDPR). That sanction included €485 million for unlawful data transfers and €45 million for failing to inform users in a clear and transparent manner.
What triggered the fresh inquiry was TikTok’s late admission that its internal systems, under the so-called “Project Clover,” flagged the unauthorised storage in China earlier in the year. While TikTok insists the incident proves the effectiveness of its €12 billion local data protection project, the DPC is less convinced.
The regulator sees it as potential evidence of misinformation during previous proceedings, misinformation that could carry further penalties.
This is not just about a single platform. TikTok’s legal appeal warns that the ruling could “set a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.” It’s a warning that resonates beyond social media and into the heart of how tech firms do business across borders.
Under the GDPR, personal data from EU residents can only be transferred to countries that meet the bloc’s strict data adequacy requirements. China does not qualify.
The fact that data was not only transferred but also stored, even temporarily, on Chinese servers raises fresh alarms about surveillance risks and unauthorised access.
TikTok, which has its European headquarters in Ireland, has not issued any fresh statement on this new investigation. But its silence may speak volumes at a time when regulators are escalating investigations and patience is wearing thin.
With this second inquiry underway, TikTok’s strategy to build trust through Project Clover now stands on shaky ground. The €12 billion project aimed to localise EU user data in Ireland and Norway, and prevent foreign access.
But instead of calming regulators, it has triggered more questions, especially about what else might be discovered as Europe tightens its grip on cross-border data flows.
