On 11 June 2026, the Irish High Court handed down a ruling that data-protection lawyers across Europe will be parsing for years. It largely upheld the Data Protection Commission's (DPC) landmark €530 million GDPR penalty against TikTok over transfers of European user data to China — but it vacated the most consequential part of the order, the open-ended suspension of those transfers, and sent the question back to the regulator to think again.
The headline is that the fine stands. The substance is more interesting: a court told Europe's most powerful privacy regulator that it had reached the right finding of wrongdoing through partly the wrong reasoning, and had reached for its most disruptive remedy without doing the work to justify it.
What the DPC found, and why it was defensible
First, the steelman — because the DPC's core case is sound. In its 2 May 2025 decision, the DPC fined TikTok €485 million under Article 46(1) GDPR and €45 million under Article 13(1)(f). The Article 46 finding rests on a principle worth defending: a company exporting personal data cannot simply point to Standard Contractual Clauses and declare the box ticked. It must verify, guarantee and demonstrate that EEA data accessed remotely from China receives protection "essentially equivalent" to that within the EU. Given the breadth of China's National Intelligence Law (2017) and Counter-Espionage Law, the risk that state authorities could compel access is not a paper worry, and the burden of disproving it sits with the exporter. The €45 million transparency fine — for failing to name China as a destination country in its privacy policy — is even harder to argue with.
The High Court agreed with all of that. It confirmed that pseudonymised data remains personal data where a person stays identifiable, and it rejected TikTok's argument that merely identifying a transfer mechanism discharges the Article 46 duty. On the law of what TikTok did wrong, the regulator won.
Where the regulator overreached
The court's disagreement was about remedy and rigour. As the Arthur Cox analysis of the judgment ([2026] IEHC 347) sets out, the court found the DPC erred in two specific ways before ordering a blanket suspension. It refused to consider a third expert opinion on Chinese law that TikTok had submitted. And it concluded — "without stating the basis for its conclusion," per the Freevacy report — that TikTok's Project Clover pseudonymisation and access controls did not warrant a softer corrective path.
The court also reframed the legal test. The DPC had asked whether "the data in question can relate to an identifiable person directly or indirectly." The correct question, the court held, was "whether, in fact, data subjects can be identified." That shift from theoretical to actual identifiability is not a technicality. It is the difference between a regime that treats privacy-enhancing engineering as irrelevant and one that asks whether the engineering actually works.
Because those errors went to the remedy rather than the infringement, the court left the findings intact but vacated the corrective orders and remitted the suspension question to the DPC. The fine survives; the ban does not — at least not yet.
Why this is the proportionate outcome
A transfer suspension is the most drastic instrument in a regulator's toolkit. It would have reached behind a service used by roughly 200 million Europeans and forced a re-architecture of TikTok's data flows. TikTok has spent a reported €12 billion on Project Clover, its European data-sovereignty programme — dedicated data centres in Ireland, Norway and Finland, with the British firm NCC Group independently auditing access and reporting anomalies to regulators (per TikTok's own Project Clover Newsroom disclosures). A regulator is entitled to find those measures insufficient. What it is not entitled to do, the court effectively held, is dismiss them without engaging with the evidence and then deploy the heaviest available sanction.
That is proportionate regulation in action, and it is the right signal for the open internet. The alternative — where worst-case legal theory about a destination country automatically triggers a transfer ban regardless of the mitigations a company has actually built — would punish investment in data security rather than reward it. Every multinational running remote-access support under SCCs faces the same structural exposure TikTok did. The "actual identifiability" standard tells them that pseudonymisation, encryption and access controls count for something concrete.
The road ahead
The procedural history underlines how contested this has been: the High Court granted TikTok a stay in November 2025 ([2025] IEHC 619), and the Supreme Court kept that stay in place in April 2026 while the substantive challenge proceeded. Now the DPC has confirmed it will not appeal the June ruling, with Deputy Commissioner Graham Doyle restating that controllers must "demonstrate, when called upon to do so, that they have adequately verified the level of protection."
That is the durable lesson, and a fair one. The obligation to verify equivalent protection is real and TikTok was right to be held to it. But the corollary the court has now written into Irish jurisprudence is equally important: regulators must engage with the technical reality of how data is protected before reaching for the nuclear option. Enforcement and innovation are not enemies here — the judgment insists on both.