Recently, while scrolling TikTok, I noticed a notification explaining the platform’s position on the “Irish GDPR decision about TikTok’s transfer of European Economic Area (EEA) user data to China.” (*shown below) It wasn’t a marketing message or a transparency update. It was the result of a High Court order requiring TikTok to notify all users of the Irish Data Protection Commission’s (DPC) decision while its appeal is underway (SeeTikTok Technology Limited & TikTok Information Technologies UK Limited v Data Protection Commission [2025] IEHC 619)
That notification is tied to one of the most significant GDPR enforcement actions of the past year and one that illustrates, with unusual clarity, how far European regulatory authority now extends beyond its borders.
The DPC’s €530 Million Decision
In May 2025, the Irish Data Protection Commission, acting as TikTok’s Lead Supervisory Authority under the GDPR, fined the company €530 million and issued a series of corrective measures. TikTok’s main EU establishment is in Ireland, which places the company squarely under the DPC’s jurisdiction for cross‑border processing.
The DPC found that TikTok’s transfers of EEA user data to China infringed Article 46(1) GDPR. Specifically, TikTok failed to verify, guarantee, and demonstrate that its supplementary measures and Standard Contractual Clauses (SCCs) were effective in ensuring an “essentially equivalent” level of protection for data accessed remotely by staff in China.
Transparency Failures Under Article 13
The DPC also examined TikTok’s October 2021 EEA Privacy Policy under Article 13(1)(f) GDPR, which requires controllers to inform users when their personal data is transferred to third countries.
Two deficiencies were identified:
The policy did not name the third countries involved, including China.
It failed to explain that staff in China had remote access to personal data stored in Singapore and the United States.
As a result, TikTok was ordered to bring its processing operations into compliance within six months of the expiry of the appeal period.
TikTok has appealed the DPC’s decision to the Irish High Court. As part of that process, the Court granted a stay on the DPC’s corrective orders while the matter is heard. The stay includes a requirement, set out at paragraph 250 of the judgment, that TikTok notify all users of the DPC’s decision in clear and easily understood language. The notification may also reference TikTok’s appeal and the stay itself.
This is the notification users are now seeing in‑app.
Why This Case Matters
This case is a textbook example of the GDPR’s extraterritorial reach. The data at issue was accessed by staff in China. The servers involved were located in Singapore and the United States. Yet the enforcement action, the fine, and the corrective orders all originate from Ireland because the affected users are in the EEA, and because TikTok’s EU decision‑making structure is based in Dublin.
It is also a preview of what is coming under the EU AI Act. Like the GDPR, the AI Act is designed to apply well beyond Europe’s borders, and companies operating globally will face similar questions about jurisdiction, governance, and compliance obligations that follow the user rather than the infrastructure.
For organisations outside the EU, this case is a reminder that avoiding a physical presence in Europe does not avoid European regulation. If anything, it removes the procedural protections that come with having a recognised “main establishment” and a single Lead Supervisory Authority.
Hi 👋I’m Rikki Archibald, an AI Risk and Compliance Consultant and Founder of Sena Consulting.
I help organisations put the right frameworks, staff training, and internal policies in place so they can use AI safely and responsibly. With strong governance at the core, AI adoption becomes faster, smarter, and more sustainable, enabling you to innovate quickly, scale with confidence, and stay ahead of curve.
Through this newsletter, I share AI regulatory updates, global headlines, and case summaries, with clear takeaways for organisations that want to move fast with AI, without the unnecessary risk.
The organisations that will win with AI are those that can move fast while keeping decision making safe, fair, and well governed. That means:
Sena Consulting works with organisations to put these frameworks in place so AI adoption is not just fast but sustainable. It is about creating the right conditions to accelerate AI adoption without hidden risks or costly delays.
If you are ready to strengthen your AI governance, reduce compliance risks, and accelerate safe adoption, let’s talk.
📩 Email me directly at contact@senaconsulting.com.au
📅 Or book a free 20-minute discovery call here
If you are curious about where your organisation sits on the AI risk and readiness scale, take my 5-minute Self-Assessment 🕒.
It produces a tailored report showing your organisation’s AI red flags 🚩 and gives you practical next steps to strengthen your AI use so it is safe, strategic, and under control.
You can be one of the first to access the AI Risk & Readiness Self-Assessment HERE