Fresh inquiry into TikTok data transfers to China

Ireland’s Data Protection Commission (DPC) has launched a further inquiry into TikTok over its transfers of European users’ personal data to servers in China.
The new inquiry follows a previous decision by the DPC in which the regulator imposed a €530 million fine on TikTok in connection with a different type of transfer of European users’ data to China.
TikTok maintained throughout that inquiry that no European users’ data was stored on servers located in China. The transfers of data took place by way of Chinese staff remotely accessing data stored on European servers.
However, in the final stages of the inquiry, TikTok said it had discovered some limited European users’ data had in fact been stored on servers located in China, meaning its evidence had been wrong.
The DPC, having considered how to respond to the late-stage revelation, today said it had decided to commence a new inquiry under section 110 of the Data Protection Act 2018.
The decision to launch a fresh inquiry was notified to TikTok earlier this week.
The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers pursuant to Chapter V of the GDPR.
The inquiry will consider the following provisions of the GDPR: Articles 5(2) (accountability), 13(1)(f) (transparency information in relation to third country transfers), 31 (obligation to cooperate with the supervisory authority) and Chapter V GDPR (compliance with the relevant requirements for third country transfers).