PL
All cases E TikTok / X

TikTok — transfers to China

EUR 530M for transfers to China + PAFACA ban in the US

Explainer · 60s

TikTok — transfers to China · EUR 530M DPC + PAFACA USA

Static animation (SVG + CSS). No audio. No trackers. Open in a new window ↗

E03 — TikTok: EUR 530M for transfers to China + PAFACA ban in the US

Category: Third-country data transfers / national security / Schrems II / geopolitics Company/companies: TikTok / ByteDance Years: 2020–2022 (audited practice), 2025 (DPC fine), January 2025 – January 2026 (US PAFACA) Status: EU — fine paid, compliance in progress; US — USDS Joint Venture since January 22, 2026 Card ID: E03

Metadata

FieldValue
Country/regionEU, US; Chinese ByteDance in Beijing
Year revealedSeptember 2021 (DPC opens transfer investigation); March 2024 (PAFACA enacted)
Years of practiceJuly 29, 2020 – December 2022 (DPC period); continuous through 2025
Total fineEUR 530,000,000 (DPC 2025) = EUR 485M for transfers + EUR 45M for transparency
CurrencyEUR
Legal basisGDPR art. 46(1) (transfers), art. 13(1)(f) (transparency); PAFACA (US federal); SCOTUS TikTok v. Garland
Whistleblower/discovererDPC Ireland own-volition inquiry; FBI/Christopher Wray warnings
Number of affected159M (as of 2024; TikTok reported 175M for 2023) active TikTok users in the EU; 170M in the US
Status (as of today)EU: fine paid, Project Clover; US: USDS Joint Venture (Jan 22, 2026)

TL;DR

Case E03 is a two-track battle between TikTok and regulators in 2024–2026:

1. EU — EUR 530M fine (DPC Ireland, May 2, 2025). After four years of investigation, the Irish Data Protection Commission fined TikTok for illegal transfers of EEA data to China. The fine consisted of: EUR 485M for violations of GDPR art. 46(1) (lack of appropriate safeguards for transfers to a third country without an adequacy decision) + EUR 45M for violations of GDPR art. 13(1)(f) (lack of transparency toward users). Additionally: an order to suspend transfers within 6 months if TikTok fails to ensure compliance. TikTok appealed.

The DPC’s key argument: remote access by employees in China = transfer within the meaning of Chapter V GDPR (even if the data is physically stored on servers in the EU/Singapore/US). This is a groundbreaking legal finding. In addition, TikTok lied during the investigation — in April 2025, it admitted that “limited EEA User Data” had in fact been stored on servers in China contrary to previous assurances. The DPC is considering further action.

2. US — PAFACA (Protecting Americans from Foreign Adversary Controlled Applications Act). President Joe Biden signed PAFACA on April 24, 2024. The act gave ByteDance 9 months for divestiture of TikTok or face a ban in the US. Deadline: January 19, 2025. SCOTUS in TikTok v. Garland (January 17, 2025) upheld PAFACA against a First Amendment challenge. On January 18, 2025, the day before the deadline, TikTok shut itself down in the US. On January 20, 2025Trump (inauguration day) signed an executive order delaying enforcement by 75 days. TikTok returned 24 hours later. Further extensions: April 4, 2025 (+75 days), June 17, 2025 (+90 days).

On January 22, 2026 — the TikTok USDS Joint Venture was finalized. Structure:

  • Oracle: 15%
  • Silver Lake: 15%
  • MGX (UAE): 15%
  • ByteDance: 19.9% (just under the statutory threshold)
  • Others: US institutional investors, US-majority board
  • Recommendation algorithm: IP still in Beijing, US entity under license

Critics (House Select Committee on CCP, Sen. Ed Markey) argue that the divestiture is illusory: the algorithm stays with ByteDance, and audits cannot replace control. Markey: “This lack of transparency reeks.”

Case E03 is unique in the database — the only one that combines: a GDPR fine, US national security, a SCOTUS case, an act of Congress, a geopolitical trade war, and conflicting legal interpretations (US: TikTok is a threat; EU: TikTok violates GDPR but continues to operate). It shows how difficult it is to regulate global platforms in an era of geopolitical fragmentation.

Timeline

  • August 2018 — TikTok’s global debut.
  • 2020 — Trump issues Executive Order 13942 — initial TikTok ban. Blocked by courts.
  • 2021 — Biden revokes Trump’s EO.
  • 2021 — DPC Ireland opens an inquiry into transfers to China.
  • July 29, 2020 — start of the DPC audit period (through December 2022).
  • November 2022 — FBI’s Christopher Wray issues public warnings.
  • December 22, 2022Forbes reveals surveillance of journalists → E01.
  • March 2023 — Shou Chew testifies before Congress.
  • 2023 — TikTok launches Project Texas ($1.5B) and Project Clover (Europe).
  • March 13, 2024 — House passes PAFACA (Protecting Americans from Foreign Adversary Controlled Applications Act).
  • April 24, 2024 — Biden signs PAFACA. Divestiture deadline: January 19, 2025.
  • May 7, 2024 — TikTok sues the US in the D.C. Circuit.
  • December 6, 2024 — D.C. Circuit upholds PAFACA.
  • January 17, 2025SCOTUS in TikTok, Inc. v. Garland upholds PAFACA 9-0.
  • January 18, 2025 — TikTok shuts itself down in the US before midnight.
  • January 19, 202512 hours after shutdown, TikTok begins to restore service following Trump’s assurances.
  • January 20, 2025 — Trump inauguration + EO delaying enforcement (+75 days).
  • February 21, 2025 — DPC sends a draft decision through the cooperation mechanism.
  • April 4, 2025 — Trump’s second EO (+75 days).
  • April 2025 — TikTok admits that EEA data had in fact been on servers in China.
  • May 2, 2025DPC: EUR 530M fine.
  • June 17, 2025 — Trump’s third EO (+90 days).
  • November 2025 — USDS negotiations finalized.
  • January 22, 2026TikTok USDS Joint Venture formally closed.
  • April 2026 (present) — TikTok operates in the US under the new structure; the EU fine is under appeal.

Mechanism

GDPR Chapter V — transfers to a third country

Legal basis:

  • GDPR art. 44 — general rule: transfer to a third country only if the conditions of Chapter V are met.
  • Art. 45adequacy decision by the Commission (e.g., Canada, Japan, UK, Israel, Switzerland).
  • Art. 46appropriate safeguards (SCCs, BCRs, supplementary measures).
  • Art. 49 — derogations (rarely used).

China: no adequacy decision. So TikTok must rely on art. 46 — Standard Contractual Clauses (SCCs) + supplementary measures.

Schrems II as precedent

CJEU Schrems II (C-311/18, July 16, 2020) — struck down the US Privacy Shield; established that the data exporter (the company sending the data) must “verify, guarantee, and demonstrate” that the data receives “essentially equivalent” protection in the third country.

DPC applied Schrems II to China:

  • Assessment of Chinese law: National Intelligence Law (2017), Counter-Espionage Law, Anti-Terrorism Law, Cybersecurity Law.
  • Conclusion: Chinese law compels companies to cooperate with any state “intelligence work.” No independent judicial oversight. No appeal mechanisms for EU citizens.
  • TikTok’s SCCs + supplementary measures were insufficient.

”Remote access = transfer”

The DPC’s key finding: when an employee in China remotely connects to a server in the EU or Singapore and sees EEA user data, that is a transfer within the meaning of Chapter V.

TikTok’s argument: the data is not physically located in China. The DPC’s counter: remote access leaves caches, temporary files, and local memory. From the perspective of Chinese authorities, the data is accessible.

This precedent has enormous consequences for every global company:

  • Google, Meta, Microsoft with employees in China/Russia/other non-adequacy countries
  • SaaS companies with helpdesks in the Philippines, India, Pakistan may face a similar problem
  • Post-COVID remote work — an employee in China with a laptop that looks EU-based = transfer

Project Clover (TikTok Europe)

TikTok’s response: Project Clover (2023–2026). EUR 12B invested in:

  • Dublin data center (Ireland)
  • Hamar data center (Norway)
  • Independent audit firm — NCC Group
  • “Gateway” — EEA data held in an enclave, access from China only after audit

DPC’s assessment: a positive step, but still insufficient during the audited period (2020–2022).

PAFACA and the US ban

Protecting Americans from Foreign Adversary Controlled Applications Act:

  • Defines a “foreign adversary controlled application” as an application controlled by a company from China, Russia, Iran, or North Korea.
  • Requires qualified divestiture — a full sale.
  • Deadline: 9 months + a possible 90-day extension.
  • Enforcement: app stores (Apple, Google) + hosting providers may not distribute / update the app.

Key legal points at SCOTUS:

  • Court Opinion (per curiam, Jan 17, 2025): PAFACA passed First Amendment scrutiny. Rationale: data collection concern (not content manipulation).
  • Justice Gorsuch (concurrence): “One man’s ‘covert content manipulation’ is another’s ‘editorial discretion.’”
  • Amici curiae opposing PAFACA: ACLU, EFF, Knight First Amendment Institute — arguing prior restraint, a First Amendment violation.

USDS Joint Venture (January 2026)

Structure:

  • Oracle: 15% (managing investor, hosting)
  • Silver Lake Partners (US): 15% (managing investor)
  • MGX (UAE government fund): 15% (managing investor)
  • ByteDance: 19.9%under the 20% threshold (PAFACA requires <20%)
  • Others: US institutional investors (including affiliates of existing ByteDance investors)
  • Board: US-majority
  • Data: on Oracle cloud in the US
  • Algorithm: owned by ByteDance in Beijing, licensed to USDS

Controversies:

  • House Select Committee on CCP: the structure does not meet PAFACA’s requirements (the algorithm is still Chinese).
  • Sen. Ed Markey (D-MA): “The White House has provided virtually no details… This lack of transparency reeks.”
  • ~30% of shares belong to affiliates of existing ByteDance investors (not new US capital).
  • E-commerce (TikTok Shop) is outside the joint venture — still under ByteDance.

Discovery

DPC own-volition inquiry (September 2021)

The DPC opened the investigation on its own initiative (without a specific complaint), as the lead supervisory authority for TikTok (whose European headquarters are in Dublin). Context: growing concerns about Chinese access to Europeans’ data.

Key discoverers

  • DPC Commissioners: Dale Sunderland, Des Hogan (since 2024); Graham Doyle (Deputy Commissioner).
  • Helen Dixon (DPC 2014–2024) — initiated the inquiry.

First publications

  • May 2, 2025 — DPC: “Irish Data Protection Commission fines TikTok €530 million”
  • May 2, 2025 — Reuters, Euronews, Hacker News, CNBC
  • April 24, 2024 — PAFACA signed: WaPo, NYT, WSJ
  • January 17, 2025 — SCOTUS: broad media coverage
  • January 22, 2026 — USDS Joint Venture: tech media, Sen. Markey publicly

Key people

DPC / EU

  • Dale Sunderland — DPC Commissioner.
  • Des Hogan — DPC Commissioner.
  • Graham Doyle — Deputy Commissioner, chief spokesperson.

TikTok / ByteDance

  • Shou Chew — CEO of TikTok.
  • Zhang Yiming — founder of ByteDance.
  • Liang Rubo — CEO of ByteDance.

US politicians

  • Joe Biden — signed PAFACA, April 2024.
  • Donald Trump — 3 executive orders delaying enforcement (January, April, June 2025).
  • Rep. Mike Gallagher (R-WI) — co-author of PAFACA.
  • Rep. Raja Krishnamoorthi (D-IL) — co-author of PAFACA.
  • Sen. Ed Markey (D-MA) — critic of USDS.
  • Christopher Wray — FBI Director until 2025.
  • House Select Committee on the CCP.

Courts

  • SCOTUS — unanimous in TikTok v. Garland, January 17, 2025.
  • D.C. Circuit — upheld PAFACA (December 2024).

Oracle + USDS investors

  • Larry Ellison — Chairman of Oracle.
  • Jeffrey Yass — Susquehanna International Group, 15% stake in ByteDance; major Trump donor.

Company response

TikTok / ByteDance

Stage 1: Project Texas (2022–2023). $1.5B in the US: Oracle hosting, USDS (a separate unit).

Stage 2: Project Clover (2023–2026). EUR 12B in Europe: data centers in Ireland and Norway.

Stage 3: defense in the courts (2024). TikTok and 8 creators sue the US over PAFACA.

Stage 4: defeat in the courts (January 2025). D.C. Circuit + SCOTUS uphold.

Stage 5: brief shutdown and comeback (January 2025). A spectacular PR operation.

Stage 6: appeal of the DPC decision (May 2025+). High Court Ireland judicial review.

Stage 7: USDS Joint Venture (January 2026). “Qualified divestiture” in a structure that preserves ByteDance’s control over the algorithm.

US administration

Biden (2021–2025): PAFACA signed, but enforcement pushed onto Trump.

Trump (2025+): 3 successive enforcement delays. Ultimately negotiated the USDS Joint Venture.

Jurisdictions

  • Ireland — DPC (EU lead), High Court (appeal)
  • EU — EDPB cooperation
  • US — D.C. Circuit, SCOTUS, Eastern District of Virginia
  • China — potential divestiture blocks (Beijing export controls)

EU:

  • GDPR art. 44, 46(1) — third-country transfers
  • GDPR art. 13(1)(f) — transparency
  • Schrems II (C-311/18, 2020) — precedent

US:

  • PAFACA 2024
  • First Amendment (unsuccessfully raised by TikTok)
  • Bill of Attainder Clause (Article I Section 9) — unsuccessful
  • National security as a basis

Key milestones

DateMilestone
September 2021DPC inquiry start
March 2024House PAFACA
April 24, 2024PAFACA signed
December 6, 2024D.C. Circuit upholds
January 17, 2025SCOTUS upholds
January 18–19, 2025TikTok shutdown + comeback
May 2, 2025DPC EUR 530M
January 22, 2026USDS Joint Venture

Penalties and settlements

DateAuthorityAmountJurisdictionBasis
May 2, 2025DPC IrelandEUR 530,000,000EUGDPR art. 46(1), 13(1)(f)

Additionally in the US: formally not a fine (regulation), but a divestiture with an estimated value of more than $50B.

Precedents and implications

For EU law

  • “Remote access = transfer” — the most important finding of 2025. Consequences for every global company.
  • Schrems II + China — precedent for other countries without adequacy (Russia, India, Saudi Arabia).
  • EDPB after TikTok’s EUR 530M — guidelines in progress for 2026.

For US law

  • PAFACA as an app-specific ban — precedent for future applications (WeChat, CapCut, Lemon8, potentially Shein, Temu).
  • SCOTUS upholding — cements Congress’s powers on national security issues online.

For Big Tech practice

  • Global SaaS with employees in China/Russia must retrain compliance.
  • Salesforce, Zoom, SAP, Oracle and the like — all must prove that their architecture does not rely on Chinese employees for EEA data.
  • “Project Clover” as a model — separation of infrastructure for regulatory regions.

Class actions

  • TikTok creator lawsuits against the US (2024): 8 creators sue, unsuccessful at SCOTUS.

Conclusions for citizens

What does this mean for me?

If you are in the EU:

  • TikTok claims that EEA data is protected after Project Clover. The DPC has not approved.
  • Your TikTok algorithm (recommendations) is developed in China.
  • The EUR 530M fine is ~0.5% of ByteDance’s annual revenue. Economically: an acceptable cost.

If you are in the US:

  • TikTok returned after January 22, 2026 as a USDS Joint Venture.
  • The algorithm is still Chinese (licensed).
  • Data is on Oracle in the US.

How to protect yourself?

  1. Check whether your data is being transferred: TikTok Settings → Privacy → Download Your Data → review.
  2. Turn off personalized ads and Location.
  3. For sensitive content — do not use TikTok.
  4. Consider alternatives — Instagram Reels, YouTube Shorts (they have their own problems, but fall under US jurisdiction).

What rights do I have?

In the EU:

  • GDPR art. 15 — download your data.
  • GDPR art. 17 — request deletion.
  • GDPR art. 21 — object to processing.
  • GDPR art. 82 — compensation.
  • DSA (Digital Services Act) — as a VLOP, TikTok must publish transparency reports.

In the US:

  • State laws (CCPA, BIPA, etc.)
  • No federal GDPR equivalent.

Where to file a complaint?

  • Poland: UODO
  • EU: national DPA
  • UK: ICO

Note for mediators, lawyers, data controllers

For companies processing EU data with help from employees in China:

  • The TikTok precedent applies to you directly. If you have a helpdesk in China that sees Polish data — that is a transfer.
  • Audit: do employees in China have access? What kind? What supplementary measures?
  • A DPIA is mandatory for this type of transfer.

For companies with employees in Russia, Iran, or Belarus:

  • Even greater risk. No adequacy, no SCCs officially supporting the arrangement.
  • Consider geofencing employees (do not give them access to EEA data).

For law firms:

  • Professional privilege vs. TikTok — do not hold sensitive consultations in rooms with TikTok active (microphone, location).
  • Consider a policy: TikTok not allowed on work devices.

For Polish mediators / lawyers:

  • Participants in youth mediation (ages 13–17) often use TikTok. As part of mediation, ask about the presence of the app and the risk of leaks.

Context

  • The 12-hour TikTok blackout in the US (January 18–19, 2025) — spectacular PR. TikTok sent users the message: “Sorry, TikTok isn’t available right now. A law banning TikTok has been enacted in the U.S.” Then: “We are fortunate that President Trump has indicated he would work with us on a solution.” After 12 hours: “Welcome back!” This is a classic example of platform lobbying through its users.
  • Trump changed his mind after meeting with Jeff Yass — in 2020, Trump favored a ban. In 2024, after a meeting (February 2024) with Jeff Yass (billionaire ByteDance investor, 15% stake worth ~$21B), Trump reversed his position. Yass was also a co-investor in the parent company of Truth Social (Trump’s social media). Conflict of interest.
  • Malaysia and Indonesia blocked Grok (January 2026, E04) — showing that regulators around the world are taking sides in Big Tech disputes.
  • Project Clover (EUR 12B) — an investment larger than the GDP of many countries. For comparison: Liberia’s GDP is ~$4B. TikTok spent 3x more on GDPR compliance than Liberia’s entire economy produces.
  • “Algorithm IP in Beijing” — the key problem with the USDS Joint Venture. License ≠ ownership. The House Select Committee on CCP deemed this a structural deficiency. Alternative: ByteDance preferred shutdown to selling the algorithm (Chinese export controls).
  • SCOTUS 9-0 — a unanimous decision is rare in such a contested case. It shows the strength of the national security argument even on an ideologically divided bench (Gorsuch, Thomas, Kavanaugh from the conservative side; Sotomayor, Kagan, Jackson from the progressive side — all joined).
  • ACLU + EFF + Knight First Amendment Institute — an amicus brief argued that PAFACA is prior-restraint censorship. Unsuccessful. But their position remains a template for future cases.
  • 159M TikTok users in the EU (as of 2024; TikTok reported 175M for 2023) — comparable to Meta/Instagram. Poland: ~16M. TikTok is deeply rooted in media culture.
  • “FTC warned domestic technology companies” (August 2025) — the FTC under Trump warned that GDPR compliance by American firms could be “censoring Americans to appease foreign states” — potentially violating the FTC Act. This is an unusual reaction: the US defending its companies from EU regulation. A precedent for jurisdictional conflict.
  • TikTok lied during the DPC investigation — in April 2025, three months after closing arguments, TikTok admitted that limited EEA User Data had in fact been on servers in China contrary to earlier assurances. The DPC is considering further action. This is a signal: not just a GDPR violation, but misleading the regulator — potentially criminal.
  • Jeffrey Yass — a key figure behind the scenes — billionaire, Susquehanna International Group, 15% stake in ByteDance. Yass’s trading firm earned billions on Chinese emerging tech. Trump’s reversal on TikTok is widely attributed to Yass’s influence. Yass is also a co-investor in Trump Media & Technology Group (Truth Social).
  • Polish context — the Polish government (Council of Ministers) in 2023 banned TikTok on work devices of state officials. Similar bans in: France, the UK, Germany, Canada, and Australia. The Polish government does not block civilian users.
  • Chinese reaction — MOFA (China’s Ministry of Foreign Affairs) in March 2024: PAFACA puts the US “on the opposite side of fair competition and international economic and trade rules.” The Propaganda Department mobilized Chinese media to defend ByteDance. Beijing points to Chinese export controls for the algorithm — effectively blocking a full sale.
  • Project Texas — $27M in lobbying — ByteDance/TikTok spent $27M on US lobbying in 2019–2024. Comparable to Meta, less than Amazon/Google. Despite this, they lost in Congress.
  • Australia was the first to block government devices in 2023. The UK, France, Germany, Canada, and Poland joined in 2023–2024.

Sources

  1. Data Protection Commission Ireland, “Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China,” May 2, 2025. URL: https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following

  2. European Data Protection Board, statement on the EUR 530M TikTok fine, May 2025.

  3. Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), Pub. L. No. 118-50, April 24, 2024.

  4. TikTok, Inc. v. Garland, 604 U.S. 56 (2025).

  5. TikTok v. Garland, D.C. Circuit, December 6, 2024.

  6. Graham Doyle, DPC Deputy Commissioner, public statements, May 2, 2025.

  7. Data Protection Commission v. Facebook Ireland Ltd (Schrems II), C-311/18, CJEU, July 16, 2020.

  8. Holland & Knight, “U.S. Supreme Court Upholds TikTok Sale-or-Ban Law,” January 2025.

  9. Milton Mueller, “Yes, it’s a Ban,” Internet Governance Project, March 2024.

  10. Tech Policy Press, “US Power Play Over TikTok Did Nothing to Protect Americans,” January 30, 2026.

  11. Sen. Ed Markey, public statement on the USDS Joint Venture, January 2026.

  12. House Select Committee on the Chinese Communist Party, reports 2024–2026.

  13. TikTok USDS Joint Venture agreement documents, January 22, 2026.

  14. CNBC, Euronews, Reuters, The Hacker News — extensive coverage on May 2, 2025.

  15. FTC warning, August 2025.

Last updated: 2026-04-18 Card in database: E03_tiktok_ban_transfers.md

Related cases

Cases that share a company, mechanism, legal precedent or jurisdiction.