This new probe follows TikTok’s own disclosure in April 2025 that a “limited amount” of European user data had been stored on Chinese servers. 

That admission directly contradicts what the platform, owned by China’s ByteDance, had told regulators during an earlier four-year investigation, where it repeatedly claimed no EU data was stored in China.

Now, the DPC is going back in, focusing specifically on this storage issue, which was not addressed in its previous investigation. The timing and scope of this latest development signal growing distrust, especially given TikTok’s shifting account of how it manages personal data across borders.

The company is already appealing a €530 million fine imposed in May 2025 for violations of the EU’s General Data Protection Regulation (GDPR). That sanction included €485 million for unlawful data transfers and €45 million for failing to inform users in a clear and transparent manner.

What triggered the fresh inquiry was TikTok’s late admission that its internal systems, under the so-called “Project Clover,” flagged the unauthorised storage in China earlier in the year. While TikTok insists the incident proves the effectiveness of its €12 billion local data protection project, the DPC is less convinced. 

The regulator sees it as potential evidence of misinformation during previous proceedings, misinformation that could carry further penalties.

This is not just about a single platform. TikTok’s legal appeal warns that the ruling could “set a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.” It’s a warning that resonates beyond social media and into the heart of how tech firms do business across borders.

Under the GDPR, personal data from EU residents can only be transferred to countries that meet the bloc’s strict data adequacy requirements. China does not qualify. 

The fact that data was not only transferred but also stored, even temporarily, on Chinese servers raises fresh alarms about surveillance risks and unauthorised access.

TikTok, which has its European headquarters in Ireland, has not issued any fresh statement on this new investigation. But its silence may speak volumes at a time when regulators are escalating investigations and patience is wearing thin.

With this second inquiry underway, TikTok’s strategy to build trust through Project Clover now stands on shaky ground. The €12 billion project aimed to localise EU user data in Ireland and Norway, and prevent foreign access. 

But instead of calming regulators, it has triggered more questions, especially about what else might be discovered as Europe tightens its grip on cross-border data flows.

The organisation’s Executive Director, Mr. ‘Gbenga Sesan and Senior Manager, Programs and Grants Strategy, Boye Adegoke expressed the concerns when they paid a courtesy call to the Nigeria Data Protection Bureau in Abuja, Nigeria last week.

Sentiments from PIN come at a time when the legislature is discussing the country’s Data Protection Bill.

 “We are worried that the bill may not enjoy further stakeholder input through a Public Hearing at the National Assembly before a planned Third Reading and passage. It is also important to state that excluding civil society from the proposed Data Protection Commission’s Governing Council is worrying. We will, however, continue to put your feet to the fire so you always do what is right even if it means condemning the actions of erring government agencies and officials,” ‘Gbenga said.

He was also quick to point out that as much as PIN appreciates ongoing legislative discussion, there was a need for the process to be inclusive and the Data Protection Commission to be independent.

 “While we appreciate the ongoing legislative discussion of a Data Protection Bill for Nigeria, something we have worked hard towards, we are very clear on the need for the process to be inclusive and for the Data Protection Commission to be independent,” ‘Gbenga told the National Commissioner of the Nigeria Data Protection Bureau, Dr. Vincent Olatunji, during the visit.

On his part, Boye was categorical that:

“the institution will not be independent because it is called independent, but because it is set up to be independent through financing, board composition and the process for the recruitment of the data protection officer.”

At the same time, PIN raised issues over the violation of data protection by various digital loan apps in Nigeria, and citizens’ data protection in the proposed census exercise by the National Population Commission (NPC).

Dr. Olatunji shared information on the bill and explained how its passage would guarantee the rights, freedoms and interest of data subjects in Nigeria. He also provided updates on the bureau’s independence, enforcement procedures and tackling the challenge of digital lending companies, among others.

The purpose of the visit was to discuss the progress of the Data Protection Bill and raise concern over the above-mentioned violations.

The bill seeks to establish an independent and effective regulatory commission to oversee data protection and privacy issues and supervise data controllers and data processors within public and private sectors.