Ireland: High Court granted TikTok leave to challenge EUR 530 million GDPR fine and data transfer suspension by Data Protection Commission

On 14 July 2025, the High Court granted TikTok leave to proceed with a legal challenge against the EUR 530 million fine and enforcement order issued by the Irish Data Protection Commission (DPC), which the company argues is “penal” in nature. The challenge arises from the DPC’s 2 May 2025 decision to fine TikTok for violations of the General Data Protection Regulation (GDPR) due to the unlawful transfer of personal data from the European Economic Area (EEA) to China. The DPC concluded that TikTok failed to ensure that the legal framework in China offered a level of protection essentially equivalent to EU law, despite the company’s reliance on Standard Contractual Clauses (SCCs) and arguments concerning remote access exemptions. The DPC’s inquiry found that TikTok’s internal legal assessment acknowledged material divergences in Chinese law, including risks under the Anti-Terrorism Law, Counter-Espionage Law, Cybersecurity Law, and National Intelligence Law. The DPC determined that TikTok did not conduct an adequate risk assessment or implement effective supplementary measures, necessitating both a financial penalty and a suspension of data transfers. TikTok lodged an appeal against the decision on 27 May 2025 and must comply with the GDPR within six months following the conclusion of the appeal period. Although TikTok introduced structural reforms under “Project Clover,” the DPC found these insufficient to remedy the underlying GDPR infringements at the time of its decision.