This new probe follows TikTok’s own disclosure in April 2025 that a “limited amount” of European user data had been stored on Chinese servers. 

That admission directly contradicts what the platform, owned by China’s ByteDance, had told regulators during an earlier four-year investigation, where it repeatedly claimed no EU data was stored in China.

Now, the DPC is going back in, focusing specifically on this storage issue, which was not addressed in its previous investigation. The timing and scope of this latest development signal growing distrust, especially given TikTok’s shifting account of how it manages personal data across borders.

The company is already appealing a €530 million fine imposed in May 2025 for violations of the EU’s General Data Protection Regulation (GDPR). That sanction included €485 million for unlawful data transfers and €45 million for failing to inform users in a clear and transparent manner.

What triggered the fresh inquiry was TikTok’s late admission that its internal systems, under the so-called “Project Clover,” flagged the unauthorised storage in China earlier in the year. While TikTok insists the incident proves the effectiveness of its €12 billion local data protection project, the DPC is less convinced. 

The regulator sees it as potential evidence of misinformation during previous proceedings, misinformation that could carry further penalties.

This is not just about a single platform. TikTok’s legal appeal warns that the ruling could “set a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.” It’s a warning that resonates beyond social media and into the heart of how tech firms do business across borders.

Under the GDPR, personal data from EU residents can only be transferred to countries that meet the bloc’s strict data adequacy requirements. China does not qualify. 

The fact that data was not only transferred but also stored, even temporarily, on Chinese servers raises fresh alarms about surveillance risks and unauthorised access.

TikTok, which has its European headquarters in Ireland, has not issued any fresh statement on this new investigation. But its silence may speak volumes at a time when regulators are escalating investigations and patience is wearing thin.

With this second inquiry underway, TikTok’s strategy to build trust through Project Clover now stands on shaky ground. The €12 billion project aimed to localise EU user data in Ireland and Norway, and prevent foreign access. 

But instead of calming regulators, it has triggered more questions, especially about what else might be discovered as Europe tightens its grip on cross-border data flows.

Disclosed on Monday, this new development is a response to the current issues over the transfer of sensitive data outside Europe. 

Businesses and governments across the continent are worried about the possibility that their digital information could end up in the hands of foreign authorities, particularly under controversial U.S. legislation like the CLOUD Act. 

Microsoft, among other U.S. companies, is now under pressure to provide cloud services and also guarantee that those services respect regional data sovereignty.

Central to Microsoft’s new framework is its European Data Boundary initiative. What’s different this time is the operational control; any remote access to customer systems by Microsoft engineers will be subject to approval and real-time monitoring by staff based in Europe. 

The company also introduced what it calls a “European Data Guardian” model, an internal policy that ensures only Microsoft employees who reside within Europe can authorise or oversee access to European customers’ data. 

That directly answers long-standing fears that American cloud providers could be forced to hand over data to non-European governments, regardless of where that data is stored.

In a statement, Microsoft noted that its sovereign private cloud, an infrastructure designed to serve organisations that require total jurisdictional control over their digital environments, is currently in preview and will be fully available before the end of the year. 

Once launched, it will offer a dedicated platform for critical and sensitive workloads across sectors like healthcare, defence, and finance.

This development builds on an earlier announcement from April, where Microsoft pledged to expand its cloud and AI footprint across Europe. At the time, it promised new regional data centres and enhanced compliance frameworks to meet the evolving expectations of European regulators.

This change is important because the trust gap between European institutions and American tech firms is growing. The invalidation of the Privacy Shield framework, uncertain GDPR enforcement, and geopolitical tensions have made data sovereignty a non-negotiable issue for many European stakeholders.

For Microsoft, this is about competition. The company is working to become the cloud provider most aligned with European values and legal norms. 

As competitors like Amazon Web Services and Google Cloud race to address similar issues, Microsoft is taking a chance on legal clarity and local control, winning over cautious customers.