TikTok is facing renewed scrutiny in Europe after Norway’s data protection authority accused the platform of continuing to send users’ personal data to China, despite a major EU fine and escalating regulatory pressure over cross‑border transfers. The allegations deepen long‑running fears that information about European users could be exposed to Chinese state surveillance under Beijing’s sweeping national security and intelligence laws.
Norway’s Watchdog Sounds Alarm
Norway’s Data Protection Authority (Datatilsynet) said this week that TikTok has notified European users it intends to continue transferring their personal data to China, triggering fresh concerns about privacy and legal compliance under EU rules. In a written statement, the regulator said TikTok’s own messaging to users confirmed that European and Norwegian user information would keep flowing to staff based in China.
Officials warned that such transfers carry significant risks because Chinese legislation can oblige companies to assist national intelligence agencies, potentially forcing TikTok’s Chinese owner ByteDance to hand over data if requested. The Norwegian authority stressed that while it is difficult to predict whether Chinese authorities will actually access the data, the very possibility raises red flags under strict European privacy standards.
EU’s €530 Million Fine Sets the Stage
Norway’s move comes months after Ireland’s Data Protection Commission (DPC), the lead privacy regulator for TikTok in the EU, imposed a €530 million (around 600 million dollars) fine over unlawful transfers of European users’ data to China. The DPC concluded that between 2020 and 2023 TikTok breached the General Data Protection Regulation (GDPR) by sending personal data from the European Economic Area (EEA) to China without ensuring an equivalent level of protection.
The Irish watchdog found that TikTok failed to adequately address the risk of access by Chinese authorities under China’s anti‑terrorism, counter‑espionage, cybersecurity and national intelligence laws, which it said diverge materially from EU privacy safeguards. Regulators also criticized the company’s lack of transparency, noting that TikTok had not clearly explained to users where their data was being sent or who could access it, a key requirement under GDPR.
Remote Access, Servers in China – And Inaccurate Evidence
A particularly sensitive element in the Irish decision was the revelation that some European user data had in fact been stored on servers in China, contradicting earlier assurances from TikTok during regulatory inquiries. TikTok had told the DPC that EEA user data was only subject to “remote access” from China and not stored there, but later admitted discovering in February 2025 that a limited amount of such data was indeed kept on Chinese servers.
The DPC said it was “deeply concerned” that TikTok had submitted inaccurate information during its previous investigation, and opened a new inquiry specifically focused on transfers of EEA users’ personal data to servers in China. The fresh probe will examine both where data is physically stored and how transparent TikTok is about third‑country transfers, amid growing pressure on companies to give users clear, verifiable information on cross‑border flows.
Orders to Fix Transfers – Or Stop Them
Alongside the blockbuster fine, the Irish authority ordered TikTok to bring its processing into compliance with GDPR within six months. If it fails to do so, the regulator has signaled that TikTok’s transfers of European user data to China could be suspended, effectively cutting off routine access to that data by Chinese‑based staff.
European regulators stressed that TikTok must “verify, guarantee and demonstrate” that any data sent to China benefits from protections comparable to those inside the EU, including safeguards against unjustified state access. For now, TikTok continues to transfer data while it appeals the DPC decision, exploiting the fact that enforcement measures can be temporarily paused while legal challenges are underway.
TikTok’s Defense: No Data Given to Beijing
TikTok has rejected the central allegation that its data transfers expose users to Chinese state surveillance, insisting there is no evidence it has shared European user information with Chinese authorities. The company says it has never received a formal request from Chinese government bodies for EU user data and has never provided such information, portraying itself as unfairly targeted compared with other global tech firms.
In public statements, TikTok argues that the Irish decision relates mainly to historical practices that have since been abandoned, and points to large infrastructure investments aimed at keeping European data within the region. The platform warns that the ruling could have broad repercussions for multinational companies that rely on globally distributed engineering teams, which often need access to data across borders to maintain and improve services.
Project Clover: Local Data, Global Scrutiny
To reassure European governments, TikTok has launched “Project Clover,” a multi‑billion‑euro initiative to localize storage of EU user data in dedicated regional data centers. The company says it plans to invest around €12 billion in facilities within the European Union, where data from users across the bloc would be stored and processed under enhanced oversight.
Despite these efforts, regulators remain unconvinced that local storage alone solves the problem, because engineers and staff in China may still be able to access data remotely even if it is physically housed in Europe. Watchdogs have emphasized that GDPR is concerned not only with where data sits, but also with who can access it and under what legal regime, bringing Chinese national security laws squarely into the debate.
Norwegian Concerns: Chinese Law and Uncertain Risks
Norway’s complaint is centered on precisely this tension between data location, access rights and foreign legal frameworks. The Norwegian DPA says TikTok’s ongoing transfers raise the risk that Chinese law could compel the platform to share information about European users with authorities in Beijing, even if such access has not yet occurred.
The watchdog’s section head, Tobias Judin, warned that these practices may have serious consequences for privacy, although regulators cannot predict how the data might be used in the future. Norwegian officials note that the issue is not just theoretical, given the breadth of China’s 2017 National Intelligence Law, which mandates that organizations and citizens “support, assist and cooperate” with intelligence work if called upon.
User Warnings and Growing Public Awareness
One of the most visible changes in recent months has been a new wave of in‑app notifications to European users, explicitly informing them that their data may be transferred to or accessed from China. Privacy advocates say these disclosures were prompted by regulatory pressure and court requirements, highlighting concerns that TikTok had not previously been transparent enough about international data flows.
European privacy site GRC Report notes that regulators have identified TikTok’s transfers to China as unlawful under GDPR, yet the company continues the practice while its appeal is pending. This combination of ongoing transfers, formal warnings and legal uncertainty is fuelling public debate about whether TikTok can be trusted with the personal data of millions of European users.
Wider Wave of Complaints Against Chinese Platforms
TikTok is not the only Chinese‑linked platform in the regulatory spotlight. European privacy group noyb has filed multiple GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi, alleging unlawful transfers of EU personal data to China. The complaints argue that many of these services fail to provide a lawful basis and adequate safeguards for sending data to jurisdictions with weaker privacy protections.
These coordinated challenges underscore a broader shift in European enforcement, from focusing on U.S. tech giants under the transatlantic data‑transfer regime to directly targeting Chinese companies and apps. Regulators are increasingly framing Chinese national security legislation as structurally incompatible with EU notions of fundamental rights and data protection, complicating efforts to design standard contractual clauses or technical controls that can satisfy GDPR requirements.
Fresh Irish Investigation Deepens Pressure
In July, Ireland’s DPC escalated its scrutiny by opening a new EU‑wide investigation into TikTok’s transfers of European user data to China, prompted by the company’s admission that some EEA data had been stored on Chinese servers. The inquiry will revisit the scope of TikTok’s transfers, the accuracy of the information it previously provided to regulators, and whether users have been properly informed about where their data resides and who can access it.
The DPC also intends to verify TikTok’s compliance with transparency obligations for third‑country transfers, a recurring weakness flagged in earlier enforcement actions. This new probe comes as TikTok is already appealing the €530 million fine, meaning the company is now defending itself on multiple legal fronts across Europe.
A Test Case for EU–China Data Flows
The outcome of the TikTok cases is likely to set a precedent for how European regulators handle data transfers to China across the technology sector. Legal experts note that the Irish decision explicitly found that Chinese national security and intelligence laws make it difficult to guarantee an “essentially equivalent” level of protection to that enjoyed inside the EU, a core standard under GDPR for international transfers.
If this reasoning is upheld in court, companies relying on engineering teams or cloud infrastructure in China may find it almost impossible to justify routine access to EU personal data, regardless of technical safeguards. That could accelerate a trend toward data localization, fragmentation of global platforms and the emergence of parallel digital ecosystems divided along geopolitical lines.
TikTok’s Balancing Act: Business, Compliance, Trust
For TikTok, the stakes go beyond regulatory fines. Europe is one of the platform’s largest markets, with an estimated 150‑plus million active users across the EU, and losing the ability to process their data efficiently would hit both operations and revenue. At the same time, any perception that user data is vulnerable to foreign state access risks damaging the brand and fuelling political calls for bans or forced divestitures, as seen previously in the United States and other jurisdictions.
The company is trying to navigate this minefield by combining legal appeals, infrastructure investments like Project Clover and public messaging that emphasizes security, independence and cooperation with regulators. Yet Norway’s latest accusation that TikTok continues with controversial data transfers to China suggests that, for now, questions about trust, transparency and sovereignty remain far from resolved.
What Comes Next for Users and Regulators
In the months ahead, several developments will be closely watched:
-
Court challenges to the Irish DPC’s €530 million fine, which will test how far EU regulators can go in restricting data flows to China on the basis of foreign security laws.
-
The outcome of the new Irish investigation into stored EEA data on Chinese servers, which could lead to further sanctions or binding orders on data routing and access controls.
-
Possible coordinated enforcement actions by other European regulators, including Norway and the Netherlands, where authorities have already warned users that TikTok continues to send data to China.
For everyday users, the controversy serves as a reminder that engaging with global platforms increasingly involves geopolitical as well as personal‑privacy calculations. Whether TikTok can convincingly demonstrate that its European operations are insulated from China’s security apparatus will likely determine not only its regulatory fate in Europe, but also the broader trajectory of EU–China digital relations
