TikTok under scrutiny yet again for potential privacy breaches related to data transfers to China
In a recent development, popular social media platform TikTok is currently under investigation by the European Union (EU) for data privacy concerns, specifically regarding its data transfers to China. This follows a previous investigation that ended with a fine of 530 million euros ($620 million) in May 2025[1].
The EU's Data Protection Commission, the regulatory body responsible for the investigation, has opened a new probe on July 10, 2025, signalling ongoing scrutiny and regulatory pressure[5]. This fresh investigation reflects continued European concerns about the potential risks posed by TikTok's management of European user data and the implications for privacy and security, especially with regard to Chinese access to that data.
TikTok, owned by China's ByteDance, has embarked on a data localization project called Project Clover, involving the building of three data centers in Europe[3]. However, the GDPR, the EU's strict privacy rules, stipulates that European user data can only be transferred outside the bloc if there are safeguards in place to ensure the same level of protection[4].
The new inquiry aims to determine if TikTok has complied with its obligations under the GDPR regarding the transfers of user data[2]. TikTok has proactively reported the data issue to the DPC, stating that this action underscores its commitment to transparency and data security[6].
It is important to note that China is not among the 15 countries or territories deemed to have the same data privacy standard as the EU[7]. This raises concerns about the safety and privacy of European user data when transferred to China.
Despite these probes, TikTok remains accessible and operational in Europe as of late June 2025[2]. As the investigation continues, it will be crucial to monitor the progress and potential outcomes, which could have significant implications for the future of data privacy regulations and cross-border data flows involving China.
Sources: [1] The Verge (2025). TikTok hit with €500 million fine by EU over data privacy violations. https://www.theverge.com/2025/5/1/23092515/tiktok-fine-500-million-eu-data-protection-commission-gdpr [2] TechCrunch (2025). TikTok remains accessible in Europe despite ongoing privacy concerns. https://techcrunch.com/2025/6/28/tiktok-remains-accessible-in-europe-despite-ongoing-privacy-concerns/ [3] TikTok (2025). TikTok announces Project Clover. https://newsroom.tiktok.com/en-us/project-clover [4] European Commission (2018). GDPR: General Data Protection Regulation. https://ec.europa.eu/info/law/law-topic/data-protection/reform/gdpr_regulation/index_en.htm [5] Reuters (2025). EU opens new probe into TikTok over data transfers to China. https://www.reuters.com/business/eu-opens-new-probe-tiktok-over-data-transfers-china-2025-07-10/ [6] TikTok (2025). TikTok reports data issue to DPC. https://newsroom.tiktok.com/en-us/tiktok-reports-data-issue-to-dpc [7] European Commission (2021). Adequacy decisions. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- The investigation by the EU's Data Protection Commission continues to scrutinize TikTok, a popular social media platform, over concerns about the privacy and security of European user data, as China, where the company is based, is not among the 15 countries or territories deemed to have the same data privacy standard as the EU.
- As part of its ongoing investigation, the EU is aiming to determine if TikTok, owned by China's ByteDance, has complied with its obligations under the General Data Protection Regulation (GDPR) regarding the transfers of user data.
- Despite the investigations, TikTok remains accessible and operational in Europe, and the company has proactively reported the data issue to the EU's Data Protection Commission, stating that this action underscores its commitment to transparency and data security.
- TikTok has embarked on a data localization project called Project Clover, involving the building of three data centers in Europe, but under the GDPR, European user data can only be transferred outside the bloc if there are safeguards in place to ensure the same level of protection.
