TikTok is facing renewed scrutiny in Europe after Norway’s data protection authority accutilized the platform of continuing to sconclude utilizers’ personal data to China, despite a major EU fine and escalating regulatory pressure over cross‑border transfers. The allegations deepen long‑running fears that information about European utilizers could be exposed to Chinese state surveillance under Beijing’s sweeping national security and ininformigence laws.
Norway’s Watchdog Sounds Alarm
Norway’s Data Protection Authority (Datatilsynet) declared this week that TikTok has notified European utilizers it intconcludes to continue transferring their personal data to China, triggering fresh concerns about privacy and legal compliance under EU rules. In a written statement, the regulator declared TikTok’s own messaging to utilizers confirmed that European and Norwegian utilizer information would keep flowing to staff based in China.
Officials warned that such transfers carry significant risks becautilize Chinese legislation can oblige companies to assist national ininformigence agencies, potentially forcing TikTok’s Chinese owner ByteDance to hand over data if requested. The Norwegian authority stressed that while it is difficult to predict whether Chinese authorities will actually access the data, the very possibility raises red flags under strict European privacy standards.
EU’s €530 Million Fine Sets the Stage
Norway’s relocate comes months after Ireland’s Data Protection Commission (DPC), the lead privacy regulator for TikTok in the EU, imposed a €530 million (around 600 million dollars) fine over unlawful transfers of European utilizers’ data to China. The DPC concluded that between 2020 and 2023 TikTok breached the General Data Protection Regulation (GDPR) by sconcludeing personal data from the European Economic Area (EEA) to China without ensuring an equivalent level of protection.
The Irish watchdog found that TikTok failed to adequately address the risk of access by Chinese authorities under China’s anti‑terrorism, counter‑espionage, cybersecurity and national ininformigence laws, which it declared diverge materially from EU privacy safeguards. Regulators also criticized the company’s lack of transparency, noting that TikTok had not clearly explained to utilizers where their data was being sent or who could access it, a key requirement under GDPR.
Remote Access, Servers in China – And Inaccurate Evidence
A particularly sensitive element in the Irish decision was the revelation that some European utilizer data had in fact been stored on servers in China, contradicting earlier assurances from TikTok during regulatory inquiries. TikTok had notified the DPC that EEA utilizer data was only subject to “remote access” from China and not stored there, but later admitted discovering in February 2025 that a limited amount of such data was indeed kept on Chinese servers.
The DPC declared it was “deeply concerned” that TikTok had submitted inaccurate information during its previous investigation, and opened a new inquiry specifically focutilized on transfers of EEA utilizers’ personal data to servers in China. The fresh probe will examine both where data is physically stored and how transparent TikTok is about third‑counattempt transfers, amid growing pressure on companies to give utilizers clear, verifiable information on cross‑border flows.
Orders to Fix Transfers – Or Stop Them
Alongside the blockbuster fine, the Irish authority ordered TikTok to bring its processing into compliance with GDPR within six months. If it fails to do so, the regulator has signaled that TikTok’s transfers of European utilizer data to China could be suspconcludeed, effectively cutting off routine access to that data by Chinese‑based staff.
European regulators stressed that TikTok must “verify, guarantee and demonstrate” that any data sent to China benefits from protections comparable to those inside the EU, including safeguards against unjustified state access. For now, TikTok continues to transfer data while it appeals the DPC decision, exploiting the fact that enforcement measures can be temporarily pautilized while legal challenges are underway.
TikTok’s Defense: No Data Given to Beijing
TikTok has rejected the central allegation that its data transfers expose utilizers to Chinese state surveillance, insisting there is no evidence it has shared European utilizer information with Chinese authorities. The company states it has never received a formal request from Chinese government bodies for EU utilizer data and has never provided such information, portraying itself as unfairly tarobtained compared with other global tech firms.
In public statements, TikTok argues that the Irish decision relates mainly to historical practices that have since been abandoned, and points to large infrastructure investments aimed at keeping European data within the region. The platform warns that the ruling could have broad repercussions for multinational companies that rely on globally distributed engineering teams, which often necessary access to data across borders to maintain and improve services.
Project Clover: Local Data, Global Scrutiny
To reassure European governments, TikTok has launched “Project Clover,” a multi‑billion‑euro initiative to localize storage of EU utilizer data in dedicated regional data centers. The company states it plans to invest around €12 billion in facilities within the European Union, where data from utilizers across the bloc would be stored and processed under enhanced oversight.
Despite these efforts, regulators remain unconvinced that local storage alone solves the problem, becautilize engineers and staff in China may still be able to access data remotely even if it is physically houtilized in Europe. Watchdogs have emphasized that GDPR is concerned not only with where data sits, but also with who can access it and under what legal regime, bringing Chinese national security laws squarely into the debate.
Norwegian Concerns: Chinese Law and Uncertain Risks
Norway’s complaint is centered on precisely this tension between data location, access rights and foreign legal frameworks. The Norwegian DPA states TikTok’s ongoing transfers raise the risk that Chinese law could compel the platform to share information about European utilizers with authorities in Beijing, even if such access has not yet occurred.
The watchdog’s section head, Tobias Judin, warned that these practices may have serious consequences for privacy, although regulators cannot predict how the data might be utilized in the future. Norwegian officials note that the issue is not just theoretical, given the breadth of China’s 2017 National Ininformigence Law, which mandates that organizations and citizens “support, assist and cooperate” with ininformigence work if called upon.
User Warnings and Growing Public Awareness
One of the most visible alters in recent months has been a new wave of in‑app notifications to European utilizers, explicitly informing them that their data may be transferred to or accessed from China. Privacy advocates state these disclosures were prompted by regulatory pressure and court requirements, highlighting concerns that TikTok had not previously been transparent enough about international data flows.
European privacy site GRC Report notes that regulators have identified TikTok’s transfers to China as unlawful under GDPR, yet the company continues the practice while its appeal is pconcludeing. This combination of ongoing transfers, formal warnings and legal uncertainty is fuelling public debate about whether TikTok can be trusted with the personal data of millions of European utilizers.
Wider Wave of Complaints Against Chinese Platforms
TikTok is not the only Chinese‑linked platform in the regulatory spotlight. European privacy group noyb has filed multiple GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi, alleging unlawful transfers of EU personal data to China. The complaints argue that many of these services fail to provide a lawful basis and adequate safeguards for sconcludeing data to jurisdictions with weaker privacy protections.
These coordinated challenges underscore a broader shift in European enforcement, from focutilizing on U.S. tech giants under the transatlantic data‑transfer regime to directly tarobtaining Chinese companies and apps. Regulators are increasingly framing Chinese national security legislation as structurally incompatible with EU notions of fundamental rights and data protection, complicating efforts to design standard contractual clautilizes or technical controls that can satisfy GDPR requirements.
Fresh Irish Investigation Deepens Pressure
In July, Ireland’s DPC escalated its scrutiny by opening a new EU‑wide investigation into TikTok’s transfers of European utilizer data to China, prompted by the company’s admission that some EEA data had been stored on Chinese servers. The inquiry will revisit the scope of TikTok’s transfers, the accuracy of the information it previously provided to regulators, and whether utilizers have been properly informed about where their data resides and who can access it.
The DPC also intconcludes to verify TikTok’s compliance with transparency obligations for third‑counattempt transfers, a recurring weakness flagged in earlier enforcement actions. This new probe comes as TikTok is already appealing the €530 million fine, meaning the company is now defconcludeing itself on multiple legal fronts across Europe.
A Test Case for EU–China Data Flows
The outcome of the TikTok cases is likely to set a precedent for how European regulators handle data transfers to China across the technology sector. Legal experts note that the Irish decision explicitly found that Chinese national security and ininformigence laws create it difficult to guarantee an “essentially equivalent” level of protection to that enjoyed inside the EU, a core standard under GDPR for international transfers.
If this reasoning is upheld in court, companies relying on engineering teams or cloud infrastructure in China may find it almost impossible to justify routine access to EU personal data, regardless of technical safeguards. That could accelerate a trconclude toward data localization, fragmentation of global platforms and the emergence of parallel digital ecosystems divided along geopolitical lines.
TikTok’s Balancing Act: Business, Compliance, Trust
For TikTok, the stakes go beyond regulatory fines. Europe is one of the platform’s largest markets, with an estimated 150‑plus million active utilizers across the EU, and losing the ability to process their data efficiently would hit both operations and revenue. At the same time, any perception that utilizer data is vulnerable to foreign state access risks damaging the brand and fuelling political calls for bans or forced divestitures, as seen previously in the United States and other jurisdictions.
The company is attempting to navigate this minefield by combining legal appeals, infrastructure investments like Project Clover and public messaging that emphasizes security, indepconcludeence and cooperation with regulators. Yet Norway’s latest accusation that TikTok continues with controversial data transfers to China suggests that, for now, questions about trust, transparency and sovereignty remain far from resolved.
What Comes Next for Users and Regulators
In the months ahead, several developments will be closely watched:
-
Court challenges to the Irish DPC’s €530 million fine, which will test how far EU regulators can go in restricting data flows to China on the basis of foreign security laws.
-
The outcome of the new Irish investigation into stored EEA data on Chinese servers, which could lead to further sanctions or binding orders on data routing and access controls.
-
Possible coordinated enforcement actions by other European regulators, including Norway and the Netherlands, where authorities have already warned utilizers that TikTok continues to sconclude data to China.
For everyday utilizers, the controversy serves as a reminder that engaging with global platforms increasingly involves geopolitical as well as personal‑privacy calculations. Whether TikTok can convincingly demonstrate that its European operations are insulated from China’s security apparatus will likely determine not only its regulatory fate in Europe, but also the broader trajectory of EU–China digital relations
Leave a Reply