Two years, one fine, still no final answer
On 30 April 2025, Ireland's Data Protection Commission (DPC) fined TikTok Technology Limited €530 million — €485 million for breaching Article 46 GDPR by transferring EEA user data to China without equivalent safeguards, and €45 million for failing to disclose those transfers under Article 13(1)(f). It ordered TikTok to suspend the transfers and bring its processing into line with GDPR Chapter V. TikTok appealed, won a stay, and the DPC even lost a Supreme Court fight over whether Irish or EU law governed that stay — a case the Supreme Court decided in TikTok's favour on 30 April 2026.
On 3 June 2026, the High Court finally ruled on the substance. In TikTok Technology Limited v Data Protection Commission [2026] IEHC 347, the court rejected the bulk of TikTok's eleven grounds of appeal and confirmed both infringement findings and the €530 million fine. But it also found the DPC had erred procedurally in two respects: refusing to consider a third expert opinion TikTok submitted on Chinese law, and failing to explain why TikTok's "Project Clover" pseudonymisation programme didn't warrant a lighter corrective response. Those errors, the court held, didn't undermine the infringement findings — but they could have affected the corrective order. So it vacated the suspension order and sent the question of what corrective measures are appropriate back to the DPC. The DPC has said it will not appeal. On 30 June, chair Des Hogan told Reuters the regulator was still reading the judgment and would take "the coming period" to decide whether to reimpose sanctions — with no fixed deadline, and any fresh order carrying fresh appeal rights for TikTok.
The case for the DPC's original order
The DPC's underlying concern is real and the court agreed with it: TikTok allowed China-based staff remote access to EEA user data without demonstrating — through Standard Contractual Clauses or otherwise — that Chinese law offered protection equivalent to the GDPR. China's national security and intelligence laws compel disclosure to state authorities with essentially no independent judicial check, which is precisely the risk the Schrems II line of case law was designed to catch. A regulator that can't act on that risk isn't protecting anyone. And TikTok's own privacy policy didn't clearly say EEA data could be accessed from China at all — a transparency failure that's hard to defend on any reading of Article 13.
Why the remittal matters more than the fine
The fine surviving intact is the least interesting part of this ruling. Big platforms treat headline GDPR fines as a cost of doing business — Meta and others have absorbed larger ones without changing course. What actually constrains a company like TikTok is an order that stops it moving data at all, and that's precisely the piece the court sent back for redo. The DPC now has to reconsider the suspension order from scratch, weighing Project Clover and the disputed expert evidence the first time round, with no deadline attached. Whatever it decides will itself be appealable. Realistically, an EEA-to-China transfer regime for TikTok that was supposed to be settled in the first half of 2025 is now unlikely to be operationally final before 2027 — more than two years after the DPC's original decision.
That delay is the actual story, and it isn't unique to TikTok. Ireland's DPC — which handles the lion's share of cross-border GDPR cases because so many platforms have their EU establishment there — now accounts for roughly €4.04 billion of the €7.1 billion in cumulative GDPR fines issued since 2018, according to enforcement tracking by ComplianceHub.Wiki. Big-platform cases routinely take years, get stayed pending appeal, and then get remitted back to the start on procedural technicalities. That's not a robust enforcement regime; it's a slow one, and slowness has real costs — for users whose data sits in legal limbo for years, and for smaller competitors who can't survive equivalent delay even if they wanted to litigate that hard.
A partial fix is coming — in 2027
Brussels has recognised the problem. Regulation (EU) 2025/2518, adopted 26 November 2025 and in force since 1 January 2026, imposes actual deadlines on cross-border GDPR investigations — 15 months for standard cases, with a simplified 12-month track for others — and harmonises how DPAs across the EEA handle admissibility and cooperation. It's a sensible, proportionate reform: it doesn't weaken GDPR's substantive standards, it just forces regulators to move. The catch is timing. It only applies to investigations opened after 2 April 2027, so it does nothing for the TikTok case now bouncing back to the DPC, or for the dozens of similar cross-border inquiries already in the pipeline.
The proportionate reading
None of this is an argument against enforcing Article 46 against real transfer risk — the underlying finding here looks sound, and platforms that move EEA data to jurisdictions with weak judicial oversight should expect scrutiny. It's an argument that a regime this slow undermines its own legitimacy. A GDPR that takes three-plus years to produce a final, appeal-proof answer on a single company's China data flows isn't protecting users any faster than one that took six months — it's just imposing more uncertainty on everyone, including the regulator whose procedural shortcuts are now the reason the case isn't over.