TikTok: User data from the EU was stored in China

Contents

The skeptics about TikTok are likely to feel vindicated: User data was unlawfully stored in China. This is now certain following a decision by the Data Protection Commission Ireland as the responsible supervisory authority: The TikTok parent company had lied to the supervisory authorities for years. At least some of the data of EU users was stored on servers in China, as TikTok operator Bytedance was forced to admit in April. It was allegedly only in February 2025 that Bytedance itself discovered that the previous information was inaccurate.

Bytedance had to admit China storage

"The DPC takes these recent developments very seriously," said Graham Doyle, Deputy Chairman of the Irish Data Protection Commission. "Although TikTok has informed the DPC that the data has now been deleted, we are working with the other EU data protection regulators to consider what further regulatory action is needed." TikTok had also publicly asserted many times that user data subject to the General Data Protection Regulation would not be stored in China: For example, to this day, a "Myths and Facts" page of the operator Bytedance states that data is stored in the USA, Singapore and Malaysia, but not in China. There have long been doubts about this. With the admission in the Irish data protection proceedings, the company's previous claim has now been refuted.

In the proceedings, which have been ongoing since 2021, the DPC has now imposed a fine of 530 million euros on the TikTok operator. The fact that a fine of this amount was on the cards had already become known through media reports at the beginning of April. The Irish supervisory authority is responsible for enforcing the General Data Protection Regulation due to the company's European headquarters.

GDPR and storage in China hardly compatible

The DPC ordered TikTok to bring its data processing in line with the GDPR within six months of the decision taking legal effect and to cease data transfers to China if they do not comply with the GDPR. To do so, Bytedance would have to prove that the protection of the data is fundamentally comparable to the EU level of protection even if it is stored there.

The legislation of the People's Republic itself stands in the way of this: the totalitarian one-party state authorizes massive access rights and obligations to cooperate for Chinese citizens in security law and many experts doubt whether China's written law plays a major role at all in cases of national security. Data transfer to the People's Republic would therefore only be permissible at all if technical measures were taken to protect EU data.

However, TikTok has failed to "verify, guarantee and demonstrate that the personal data of users from the European Economic Area accessed remotely by employees in China enjoy a level of protection that is essentially equivalent to the level of protection guaranteed in the EU", according to a statement from the DPC. This means that TikTok has not taken into account "potential access by Chinese authorities to personal data from the European Economic Area under Chinese counter-terrorism, counter-espionage and other laws."

Data center in Norway to fix the problem

Bytedance itself stated that this problem exists in the documents it submitted, which is also why it launched "Project Clover": Data from countries covered by the GDPR (all 27 EU member states plus Norway, Liechtenstein and Iceland) is to be stored in secure EU data centers in the future. In particular, a data center in Hamar, Norway, north of the capital Oslo, is to ensure this in the future and went online at the beginning of April, according to Bytedance. However, the Irish data protection authority is also addressing the fact that the physical location of the data center alone is not enough - it is also a matter of securing access by employees in accordance with the requirements of the GDPR.

(mack)