For organisations operating across borders, the outcome of this appeal, which rejected most grounds of TikTok’s appeal against the DPC’s Inquiry Decision, is a significant reminder that compliance with international transfer requirements under the GDPR requires substantively more than identifying an appropriate transfer mechanism.

DPC Decision – Inquiry IN-21-9-2

In May 2025, the DPC announced its final decision in an own-volition inquiry into transfers of EEA user data to China. The own-volition inquiry arose from supervisory interactions with TikTok, where the DPC was informed that personal data stored by TikTok outside China was remotely accessed by employees in China, constituting an international transfer for the purpose of Chapter V GDPR. The DPC identified infringements of Article 46 GDPR (transfers subject to appropriate safeguards) and Article 13(1)(f) GDPR (transparency relating to international transfers) and imposed corrective actions comprising administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance. 

TikTok appealed the DPC Inquiry Decision on 11 grounds, including breaches of fair procedures, errors of assessment, errors of law and failures to correctly apply Article 83 GDPR.

High Court Judgment – TikTok Technology Limited v Data Protection Commission [2026] IEHC 347

The High Court did not accept most of TikTok’s grounds of appeal and upheld the findings in the DPC Inquiry Decision in relation to the identified infringements of Article 46 GDPR and Article 13(1)(f) GDPR. 

Article 46 GDPR – Demonstrating Adequate Protection

TikTok argued that, following Schrems II, it was sufficient for a controller to satisfy itself that adequate protection of transferred data exists. The Court rejected that interpretation, stating that it would be unworkable in practice. Instead, the Court found that the obligation in Article 46(1) GDPR – that international transfers of personal data are permitted only where the controller has provided appropriate safeguards – and its interpretation by the CJEU in Schrems II should be read in light of the general principle of accountability contained in Article 5(2) GDPR and the general obligation contained in Article 24(1) GDPR that a controller must implement appropriate measures to demonstrate compliance with the requirements of the GDPR.

Noting the interpretation of Article 46(1) GDPR by the CJEU in Schrems II as requiring verification that adequate levels of protection exist in the third country to which personal data is transferred, the Court found that “[i]f there is a requirement to carry out such a prior assessment … it must be a requirement to carry out an adequate assessment”. On this basis, the Court concluded that it is open to a supervisory authority “to examine the assessment carried out by a controller and consider whether it was adequate, and whether it in fact demonstrates what it purports to demonstrate”. 

The Court found it was not necessary for the supervisory authority to conduct an independent examination of the laws of the third country and that identifying a gap or shortcoming in the assessment by the controller was sufficient to ground a conclusion that the controller had failed to comply with its obligations under Article 46 GDPR. 

Article 13(1)(f) GDPR – Transparency

TikTok argued that Article 13(1)(f) GDPR did not contain a specific obligation to name third countries to which personal data was transferred and that the DPC’s argument in favour of doing so would be inconsistent with the requirement in Article 12(1) GDPR for information to be provided to data subjects in concise and easily accessible form. 

The Court did not accept TikTok’s argument and affirmed the DPC’s view that identification of the third country to which personal data is transferred by the controller is required by Article 13(1)(f) GDPR. As TikTok’s October 2021 EEA privacy policy did not identify China as a destination country, the Court upheld the DPC’s finding that Article 13(1)(f) had been infringed. The Court also rejected TikTok’s argument based on Article 12(1) GDPR, noting that the December 2022 Privacy Policy showed that this information could readily be provided in clear language.

Outcome and corrective orders

While most appeal grounds raised by TikTok were not upheld, the Court found that the DPC erred in refusing to consider a third expert opinion on Chinese law provided by TikTok and in concluding, without stating the basis for its conclusion, that TikTok’s Project Clover pseudonymisation and privacy measures, did not justify a different corrective approach.

While the Court found that these errors did not affect the findings of infringement in relation to either Article 46 GDPR or Article 13(1)(f) GDPR, it considered that the corrective orders may have been affected by these errors. On this basis, the Court was satisfied that the appropriate resolution was to make an order vacating the corrective orders and remitting the question of what corrective orders should have been made in light of the Article 46 infringement finding to the DPC for further consideration.

Key takeaway

The High Court’s decision is an important reminder that organisations transferring personal data outside the EEA must be able to not only identify an appropriate transfer mechanism, but must also be in a position to adequately document its assessment that the transferred data benefits from a level of protection essentially equivalent to that guaranteed under the GDPR. The High Court judgment reaffirms organisations must “verify, guarantee and demonstrate” that they have conducted a robust and detailed assessment of the protection afforded to personal data in third countries and that such assessments must be capable of withstanding scrutiny as to their adequacy and sufficiency from supervisory authorities such as the DPC.

The authors would like to thank Cian Curley for his contribution to this article.