On 30 April 2026, the Irish Supreme Court unanimously dismissed the Data Protection Commission's (DPC) appeal and left intact a High Court stay on the regulator's enforcement orders against TikTok. The practical effect is narrow but consequential: TikTok need not yet pay the €530 million fine the DPC imposed on 2 May 2025, nor suspend its EEA-to-China data transfers, while its substantive challenge proceeds through the courts (Data Protection Commission).
The ruling decided a single, technical question — and got it right.
What the court actually decided
The DPC's underlying decision was substantial. It found that TikTok infringed Article 46(1) GDPR by failing to verify, guarantee and demonstrate that EEA user data remotely accessed by staff in China enjoyed protection essentially equivalent to that guaranteed in the EU, and Article 13(1)(f) by failing to tell users about those transfers. The penalties broke down as €485 million for the transfer breach and €45 million for the transparency breach, alongside an order to suspend transfers and reach compliance within six months (EDPB).
None of that was before the Supreme Court. The five-judge panel was not asked whether TikTok broke the law — that is for the substantive High Court proceedings, which opened on 3 March 2026 before Mr Justice Rory Mulcahy (Irish Times). The narrow question was: when a company appeals a DPC decision, what legal test governs whether the regulator's orders are paused in the meantime?
The DPC argued the test was a matter of EU law. The court disagreed. In judgments delivered by Mr Justice Brian Murray and Mr Justice Gerard Hogan, with the rest of the panel concurring, the court held that the standard for staying a regulatory decision is governed by Irish national law. That standard, Murray wrote, requires courts to "strike a balance between irreparable harm caused to a party in the event a stay is not imposed, and damage to the public interest or the rights of third parties." Hogan added that because the TikTok decision was made by the DPC as lead supervisory authority rather than jointly with other authorities, the EU-law theory the DPC advanced did not fit, and there was no obligation to refer the matter to the Court of Justice (Irish Times).
Steelmanning the regulator
The DPC's position deserves a fair hearing. Its strongest argument is that GDPR is a single European regime whose enforcement should not splinter into 27 different national procedures. If a German court grants stays freely and an Irish court grants them rarely, a company's exposure to a uniform EU law would depend on which member state happened to host its European headquarters — an outcome that cuts against the regulation's harmonising purpose. There is also a real public-interest stake: if the DPC is ultimately vindicated, every month the transfers continue is a month of EEA data flowing to a jurisdiction the regulator has found cannot guarantee equivalent protection. Those are serious concerns, not bureaucratic reflexes.
Why the court got the balance right
But the remedy the DPC sought — having EU law strip national courts of their ordinary discretion to grant stays — is disproportionate to the problem. A stay is not a verdict. It does not declare TikTok innocent; it preserves the status quo so that a €530 million penalty and a continent-spanning operational order are not executed before a court has tested whether they are lawful. "Enforce first, adjudicate later" is precisely the posture a rule-of-law system is built to resist, and it is most dangerous when the sums and the operational stakes are largest.
The asymmetry of harm favours the stay. If TikTok pays €530 million and halts transfers, then wins its appeal, the money can in principle be returned but the disruption to a lawful business — and to the millions of users and advertisers who depend on the service — cannot be undone. If TikTok loses, the fine is still collectable and the suspension can still be imposed, now on a sound legal footing. The Irish test Murray described captures exactly this calculus.
The ruling also matters beyond TikTok. Ireland hosts the EU establishments of a large share of the world's major platforms, which makes the DPC the lead supervisory authority for cross-border cases far out of proportion to the country's size. That concentration is an asset for the open internet only if it comes with predictable, court-supervised process. A regime in which the lead regulator could make its orders immediately self-executing — immune from the national procedural safeguards every other litigant enjoys — would make Ireland a riskier, not a safer, home for digital investment, and would invite forum-shopping away from rigorous enforcement rather than toward it.
What this does not settle
None of this lets TikTok off the hook. The company still faces a ten-day substantive hearing on whether its transfers and disclosures complied with GDPR, where it argues the DPC breached fair procedures and failed to engage with the evidence it submitted, including its "Project Clover" localisation programme. The DPC's findings on Article 46 — particularly the late-surfacing admission that some EEA data had in fact been stored on servers in China — remain a strong factual basis for enforcement if they hold up.
The Supreme Court simply confirmed that even a regulator with a strong case must let the courts test it before collecting. Proportionate regulation and due process are not obstacles to enforcement; they are what make enforcement legitimate. On that point, the court was unanimous, and correct.