TikTok vs The Data Protection Commissioner

November 21, 2025
Jim
Data Protection, GDPR, Technology
0

TikTok vs. The Data Protection Commissioner: A high court ruling with billion-dollar implications for EU data transfers

The Irish High Court has temporarily paused an order from the Irish Data Protection Commission (DPC) that would have forced TikTok to suspend transfers of its European Economic Area (EEA) users’ data to China. While this decision follows a staggering €530 million fine for GDPR infringements, the ruling’s true importance lies not in the temporary stay itself, but in the legal standard the court confirmed it will use to balance business continuity against regulatory enforcement in Ireland. For any organisation transferring personal data outside the European Union, this judgment provides a crucial analysis of risk, precedent, and the strategic importance of demonstrating unrecoverable business harm when challenging a regulator.

The Regulator's verdict: Why the DPC took action against TikTok

The DPC’s action stems from an inquiry it began on September 14, 2021, into TikTok’s data transfer practices. In its final decision, issued on April 30, 2025, the DPC identified two significant GDPR infringements based on its investigation into data transfers between 29 July 2020 and 17 May 2023:

• GDPR Infringement 1: A breach of Article 46(1) of the GDPR. The DPC’s core finding was that TikTok had “failed to verify, guarantee and demonstrate” that personal data of its 159 million EEA users, when accessed remotely by personnel in China, was afforded a level of protection “essentially equivalent” to that within the EU.

• GDPR Infringement 2: A breach of Article 13(1)(f) of the GDPR. The DPC also concluded that for a portion of the inquiry period (29 July 2020 to 1 December 2022), TikTok had failed to provide its users with the required information about these international data transfers.

As a result of these findings, the DPC imposed a series of corrective measures designed to be among the most stringent in its history:

• An administrative fine totaling €530 million.

• A Suspension Order requiring TikTok to halt the data transfers to China.

• A Corrective Order requiring TikTok to bring its overall data processing operations into compliance with the GDPR.

The Court Application: Why TikTok fought for a 'stay'

While TikTok’s appeal of the decision automatically paused the €530 million fine, the Suspension and Corrective Orders were set to take effect. To prevent this, TikTok made an urgent application to the Irish High Court to “stay” (i.e., pause) these orders until its full appeal against the DPC’s decision could be heard. The core of the legal debate centered on two competing arguments:

TikTok's argument for a stay

Implementing the suspension would cause massive, unrecoverable harm, including billions of euros in expenditure, severe disruption to its business and workforce, and a diminished experience for its stakeholders.

The DPC's argument against a stay

The fundamental rights of TikTok’s 159 million monthly EEA users would be at risk if the data transfers were allowed to continue while the DPC’s decision was being appealed.

The High Court's decision: paused, but with conditions

In a judgment delivered on November 13, 2025, the High Court granted TikTok’s request for a stay. The court’s decision-making process provides a masterclass in judicial risk assessment, beginning with a pivotal choice of legal framework.

Choosing the Battleground: Okunade vs. Zuckerfabrik

Before weighing the arguments, the court first had to decide which legal test to apply. The DPC argued for the strict, EU-level Zuckerfabrik test, typically used when challenging the validity of an EU regulation. This test places a very high bar on applicants, making it difficult to pause a regulator’s decision. TikTok, conversely, argued for the Irish national law standard from Okunade v Minister for Justice, which focuses on finding the “least risk of injustice” through a more holistic balancing of interests.

The court sided with TikTok, ruling that the Okunade test was the appropriate standard. This decision is the most significant precedent set by the judgment, establishing that challenges to DPC decisions in Ireland will be assessed under national procedural law, which provides a more comprehensive framework for considering business harm.

Applying the Okunade Test: A Balancing Act

Having chosen its framework, the court applied the Okunade test, leading to several key conclusions:

1. Serious and Irreparable Harm: The court was convinced that TikTok would suffer significant damage that could not be adequately compensated by money later. It acknowledged TikTok’s evidence estimating $

1.716 bi ll i o n in l os t p ro f i t an d $

3.105 billion in additional personnel costs. The judge concluded that quantifying the total loss, including damage to its business, workforce, and brand, would be nearly impossible.

2. The ‘Least Risk of Injustice’: The court weighed the certain harm to TikTok against the potential risk to users’ data rights and found that granting the stay represented the “least risk of injustice.” The factors that proved decisive in this balancing exercise were:

The DPC’s finding was that TikTok failed to demonstrate that data was protected, which is different from a positive finding that the data was not protected.
The inquiry’s findings were limited to a period ending in May 2023, and the court noted that TikTok has since implemented additional protective measures, such as its “Project Clover” initiative.
The DPC did not use its ‘urgency’ procedure under GDPR Article 66, which suggested to the court that the data protection risks were not considered immediately critical by the regulator itself.
A short delay for the appeal to be heard was deemed a limited and uncertain risk to user data compared to the certain and significant damage TikTok would suffer.

3. Strict Conditions for the Stay: The pause is not unconditional. As risk mitigation factors, the court imposed two strict conditions on TikTok:

TikTok must proceed with its full appeal diligently, with the goal of having the case heard by March 2026.
TikTok must notify all of its users about the DPC’s decision and the fact that it is being appealed.

What this means for your organisation: key takeaways

This case is a critical benchmark for any business involved in international data transfers. Beyond the headlines, the DPC’s decision and the court’s subsequent ruling offer several strategic lessons.

• The Burden of Proof for Data Transfers is High: The DPC’s decision hinged on TikTok’s failure to verify, guarantee, and demonstrate an “essentially equivalent level of protection” in China. This triad of verbs sets an incredibly high bar, reinforcing that the legal and operational onus is squarely on the data exporter to conduct, document, and defend a rock-solid assessment justifying its international data transfers.

• Regulators Can and Will Order Data Flows to Stop: The DPC’s use of a Suspension Order is a powerful demonstration of a regulator’s willingness to use its most severe corrective powers under GDPR Article 58. For any company where cross-border data flows are integral to operations, a regulatory halt represents a critical business continuity risk that must be mapped and mitigated.

• The Okunade Precedent is a Game-Changer for Challenging DPC Orders: The High Court’s decision to grant the stay provides a vital strategic insight. The Irish High Court will apply the Okunade ‘least risk of injustice’ standard, not the stricter Zuckerfabrik test, when considering a stay. This precedent means that well-documented evidence of severe, unrecoverable business harm (in this case, totaling over US$4.8 billion in potential losses and costs) can successfully pause a DPC order, even when fundamental data rights are at stake.

• User Transparency is a Fundamental Risk Mitigation Tool: The failure to properly inform users was a key infringement finding by the DPC. Furthermore, the court made user notification a mandatory condition for granting the stay. This underscores that clear, honest, and comprehensive communication with users about where their data goes and how it is protected is not an optional extra—it is a fundamental compliance requirement and a key factor in judicial assessments of risk.

The road ahead

TikTok has secured a crucial, but temporary, victory. While the ultimate legal battle over the lawfulness of its EEA-to-China data transfers is still to come, the High Court has already set a critical precedent on the procedural front. The ruling signals to all organisations under the DPC’s jurisdiction that the Irish courts provide a meaningful avenue to challenge the immediate implementation of even the most severe regulatory sanctions, provided the evidence of harm is overwhelming and expertly documented. The final outcome of the appeal will be closely watched, but the procedural playbook for future challenges has now been written.

Tags: Decision EU GDPR

Cookie	Duration	Description
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Principle Defence