This new probe follows TikTok’s own disclosure in April 2025 that a “limited amount” of European user data had been stored on Chinese servers. 

That admission directly contradicts what the platform, owned by China’s ByteDance, had told regulators during an earlier four-year investigation, where it repeatedly claimed no EU data was stored in China.

Now, the DPC is going back in, focusing specifically on this storage issue, which was not addressed in its previous investigation. The timing and scope of this latest development signal growing distrust, especially given TikTok’s shifting account of how it manages personal data across borders.

The company is already appealing a €530 million fine imposed in May 2025 for violations of the EU’s General Data Protection Regulation (GDPR). That sanction included €485 million for unlawful data transfers and €45 million for failing to inform users in a clear and transparent manner.

What triggered the fresh inquiry was TikTok’s late admission that its internal systems, under the so-called “Project Clover,” flagged the unauthorised storage in China earlier in the year. While TikTok insists the incident proves the effectiveness of its €12 billion local data protection project, the DPC is less convinced. 

The regulator sees it as potential evidence of misinformation during previous proceedings, misinformation that could carry further penalties.

This is not just about a single platform. TikTok’s legal appeal warns that the ruling could “set a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.” It’s a warning that resonates beyond social media and into the heart of how tech firms do business across borders.

Under the GDPR, personal data from EU residents can only be transferred to countries that meet the bloc’s strict data adequacy requirements. China does not qualify. 

The fact that data was not only transferred but also stored, even temporarily, on Chinese servers raises fresh alarms about surveillance risks and unauthorised access.

TikTok, which has its European headquarters in Ireland, has not issued any fresh statement on this new investigation. But its silence may speak volumes at a time when regulators are escalating investigations and patience is wearing thin.

With this second inquiry underway, TikTok’s strategy to build trust through Project Clover now stands on shaky ground. The €12 billion project aimed to localise EU user data in Ireland and Norway, and prevent foreign access. 

But instead of calming regulators, it has triggered more questions, especially about what else might be discovered as Europe tightens its grip on cross-border data flows.

This is another step in Europe’s investigation of Chinese tech firms accused of flouting privacy rules.

The Berlin Data Protection Commissioner, Meike Kamp, invoked Article 16 of the EU’s Digital Services Act (DSA) in a formal notice to both tech giants, declaring DeepSeek’s app as illegal content under European law. 

At the heart of the matter is the company’s transfer of user data to China, without any of the legal safeguards mandated by the EU’s General Data Protection Regulation (GDPR).

Kamp stated, “DeepSeek has not been able to provide my agency with convincing evidence that German users’ data is protected in China to a level equivalent to that in the European Union.”

That alone would be enough to raise red flags. But the issue runs deeper.

Germany’s investigation found that DeepSeek violated Article 46 of the GDPR, which governs international data transfers. China does not have an EU adequacy decision, a prerequisite for transferring personal data outside Europe without further protections. 

Yet DeepSeek allegedly failed to implement even basic legal mechanisms, such as Standard Contractual Clauses (SCCs), that could have made such transfers lawful.

According to DeepSeek’s own privacy policy, the app stores an alarming range of personal data, including search queries, chat histories, uploaded documents, and location data, on servers based in China. Nowhere in the policy is GDPR mentioned. No safeguards are outlined. No clarity is given.

This isn’t the first time the company has faced European resistance. Italy’s data protection authority banned DeepSeek earlier this year after it failed to explain how it collects and processes user data. The Netherlands followed shortly after, warning the public not to submit sensitive information through the app.

In the United States, lawmakers are drafting legislation that would prohibit federal agencies from using AI models developed in China. A senior U.S. State Department official told Reuters that “DeepSeek is actively supporting China’s military and intelligence operations, including providing services to PLA research institutions.” 

The same report revealed that the company allegedly used shell companies in Southeast Asia to bypass U.S. export controls and acquire Nvidia H100 chips, restricted hardware used for training advanced AI models.

These concerns have been amplified by DeepSeek’s rapid ascent. The company claimed in January that its AI models, such as DeepSeek-R1 and V3, rival those of OpenAI and Meta—at a fraction of the cost. It reportedly trained its large language model for just $5.6 million, a figure many experts find highly questionable. 

Nevertheless, the apps have surged in popularity, topping download charts across multiple countries, and exposing users’ data to foreign jurisdictions.

Despite repeated requests from German authorities since May, DeepSeek refused to adjust its data practices or withdraw voluntarily from the app stores. With that deadline now past, the commissioner’s office has moved decisively.

Apple and Google are expected to act quickly, but neither company has responded to requests for comment.