On 3 June 2026, the Irish High Court upheld the Data Protection Commission's (DPC) findings against TikTok and the €530 million fine imposed following the regulator's inquiry into transfers of EEA user data to the People's Republic of China. The penalty - among the largest ever issued under the GDPR - comprised €485 million for unlawful data transfers and €45 million for transparency failures. The DPC acted in its role as lead supervisory authority for TikTok under the GDPR's one-stop-shop mechanism.
The inquiry examined the lawfulness of TikTok's transfers of EEA users' personal data to China, focusing on whether the company could guarantee a level of protection essentially equivalent to that required within the EU when data was remotely accessible from a third country without an adequacy decision. The transparency component concerned the adequacy of the information TikTok provided to users about those transfers. The High Court's decision confirms that the substantive findings and the fine stand, although the court directed the DPC to reconsider its order suspending further transfers to China and has indicated it will consider TikTok's appeal regarding the amount of the penalty - leaving both the corrective measures and the quantum open to further argument even as the underlying liability is settled.
The decision lands at a moment when international data transfers remain one of the most contested areas of GDPR enforcement. The absence of an adequacy decision for China means that transfers rely on safeguards such as standard contractual clauses, supplemented by transfer impact assessments that must account for the legal environment in the destination country - including the prospect of government access to data. The TikTok case turns precisely on whether those safeguards were sufficient given the access risks identified, and the High Court's endorsement of the DPC's core reasoning reinforces the bar that controllers must clear.
For organisations transferring personal data outside the EEA, the ruling is a reminder that the mechanism chosen - SCCs, binding corporate rules, or a certification - is only the starting point. The substantive question is whether the data, once transferred, enjoys protection equivalent to that guaranteed within the Union, and whether the organisation can evidence the assessment that led it to that conclusion.
Acompli perspective: The TikTok decision confirms that international transfers remain a primary enforcement target, and that the size of the penalties reflects how seriously regulators treat them. A transfer mechanism on paper is not a defence on its own; what matters is the documented assessment behind it. Organisations moving data outside the EEA should ensure their records of processing capture every transfer and its legal basis, that their risk management framework includes transfer impact assessments that genuinely engage with destination-country access risks, and that their data mapping reflects where data can be accessed from - not merely where it is nominally stored.