TikTok wins delay on order blocking China data access during appeal

Ireland's High Court granted TikTok permission on November 13, 2025, to continue transferring European user data to China while the company appeals a €530 million penalty. The decision means TikTok can maintain current operations for 159 million monthly European users rather than immediately blocking Chinese employees from accessing their information. Justice Rory Mulcahy ruled the temporary delay creates less harm than forcing irreversible changes before determining whether regulators made the right call.

The ruling addresses a Data Protection Commission decision issued April 30, 2025, which found TikTok violated European privacy law between July 29, 2020 and May 17, 2023. The regulator concluded that when Chinese-based employees remotely accessed European user data stored on servers in Singapore and the United States, that access counted as an illegal data transfer. Ireland's privacy watchdog determined TikTok failed to prove Chinese law provided equivalent protection to European standards.

The commission gave TikTok six months to either stop the transfers or prove compliance. Without the court's intervention, that deadline would force TikTok to cut off thousands of Chinese employees from accessing European user information by late March 2026. TikTok argued this would cost billions and permanently damage its business, even if the company eventually wins its appeal.

The original €530 million fine represented one of the largest penalties under the General Data Protection Regulation. The Data Protection Commission imposed two separate administrative fines: €485 million for failing to ensure adequate data protection and €45 million for failing to properly inform users about data transfers to China until December 2022.

Justice Mulcahy's judgment resolved a legal fight about which rules should govern the case. The Data Protection Commission wanted the court to use strict European Union standards that typically apply when someone challenges EU-wide regulations. Those rules, called the Zuckerfabrik test, make it harder to pause enforcement while appeals proceed. The regulator argued its decision deserved special protection because other European privacy authorities reviewed and accepted it.

TikTok countered that standard Irish legal procedures should apply, using the Okunade test. That framework asks judges to identify where the greatest risk of injustice lies. The company needed the court to choose this path because it provides more flexibility for blocking government decisions temporarily.

The 81-page judgment sided with TikTok on procedure. Justice Mulcahy determined that decisions by national privacy regulators remain national measures, even when other European authorities participate. The General Data Protection Regulation explicitly states that legal challenges "should be conducted in accordance with that Member State's procedural law," according to the judgment.

"The GDPR, therefore, has not harmonised, and does not require the harmonisation of, national procedural rules," Justice Mulcahy wrote. The regulation deliberately chose not to standardize how courts handle these disputes.

The decision distinguished between challenging a regulator's decision versus challenging rules created by European Union institutions. When someone disputes an EU regulation or directive directly, stricter standards apply. But TikTok challenged Ireland's Data Protection Commission specifically, making it a national administrative law case despite the European privacy law background.

The judgment acknowledged that other European Economic Area privacy authorities received the Irish regulator's draft decision under a cooperation process. Supervisory authorities from France, the Netherlands and Berlin provided comments, but none formally objected. That acceptance added weight to the Irish decision but didn't transform it into an EU-level measure requiring different court procedures.

TikTok presented detailed financial evidence to justify the delay. The company explained it would need to implement a "Suspension Solution" blocking Chinese personnel from accessing European user data. Technical experts described severe disruptions to critical business processes if TikTok removed that access immediately. Professor Peter Pietzuh from Imperial College London verified the company's technical analysis.

Grant Thornton calculated potential losses at US$1.716 billion in lost profits over three years, plus US$3.105 billion in costs to relocate thousands of employees from China to other countries. TikTok argued these changes would be difficult or impossible to reverse, meaning the company couldn't recover those losses even if it wins the appeal.

The Data Protection Commission challenged those numbers. Kieran Wallace from Interpath questioned whether TikTok calculated the figures properly, noting the company provided no industry comparisons. The regulator argued that financial losses don't usually justify blocking enforcement, because companies can sue for damages later if they win their appeals.

Justice Mulcahy disagreed with the commission's damages argument. The judgment determined that calculating what TikTok would lose faces "insuperable difficulties" because this type of disruption has never happened before in the industry. Without precedent or comparison data, accurately measuring harm becomes virtually impossible. The Court of Justice of the European Union recognized in a recent Amazon case that inability to calculate damages makes them inadequate as a remedy.

The judgment also noted uncertainty about whether TikTok could actually recover damages. Ireland's Data Protection Act 2018 grants the commission immunity from lawsuits. While European law might override that immunity for certain claims, TikTok's appeal includes arguments based purely on Irish constitutional and procedural law. If TikTok wins on those domestic grounds rather than European privacy law, damage claims might not work.

The court balanced financial concerns against privacy risks. Justice Mulcahy acknowledged that 159 million European users face potential threats to their fundamental rights if their data lacks adequate protection in China. The judgment described this as requiring "very considerable weight" in the analysis.

However, several factors reduced the apparent urgency of blocking transfers immediately. The Data Protection Commission's investigation ran from September 2021 through April 2025 without using emergency procedures available under Article 66 of the regulation. The commission gave TikTok six months to comply after issuing its decision. These timelines suggested regulators didn't view the situation as requiring immediate action.

The commission's findings addressed historical transfers ending May 17, 2023. TikTok implemented additional protections called Project Clover after that date. The regulator reviewed those measures when deciding whether to order suspension, concluding they remained insufficient. But the judgment noted that because the breach finding covered a past period, current risk levels might differ from what existed during the investigation.

TikTok provided evidence that no Chinese government authority has ever requested access to European user data. The company publishes transparency reports every six months documenting such requests. Expert reports from Chinese law professors argued that territoriality principles prevent Chinese authorities from accessing data stored outside China, even when Chinese employees view it temporarily.

The Data Protection Commission presented competing expert testimony. Professor Dongsheng Zang from the University of Washington School of Law disputed TikTok's interpretation of Chinese law. Consultant Paul Hunton raised concerns about technical vulnerabilities and risks from malicious actors. Justice Mulcahy ruled most of this evidence inadmissible for the stay application because it either contradicted the commission's decision or raised new issues the regulator never relied upon.

An unexpected disclosure complicated TikTok's case. On March 21, 2025, the company informed regulators that contrary to previous statements, some European user data had actually been stored on Chinese servers. This occurred through TikTok's OnCall help desk system, where support agents sometimes included personal information in ticket descriptions rather than just summarizing technical problems. TikTok moved that data out of China and restricted access when it discovered the issue.

The judgment acknowledged this incident undermined TikTok's credibility but didn't make it decisive. Justice Mulcahy focused on the regulatory decision's scope and the relative harms of delaying enforcement versus forcing immediate compliance before the appeal concludes.

The court imposed conditions on the delay. TikTok must prosecute its appeal diligently and ensure a hearing by March 2026 if within the company's control. The parties indicated that timing should work, potentially allowing the appeal to proceed before the original suspension deadline would have taken effect anyway.

TikTok must also notify all users about the Data Protection Commission's decision in clear, accessible language. The notification can mention the appeal and court-ordered delay. Both parties can ask the court to reconsider the stay if circumstances change.

Justice Mulcahy concluded that granting the delay creates the least risk of injustice. If TikTok loses its appeal, the company will have operated under disputed practices for several additional months. But if TikTok wins and the court had forced immediate changes, the company would suffer billions in unrecoverable losses and permanent business damage.

"In circumstances where the DPC has made a 'negative' finding, that TikTok has not satisfied the requirement to show that an equivalent level of protection is available, rather than a 'positive' finding, that there is not, in fact, an equivalent level of protection," the judgment stated, "it is legitimate to distinguish between the findings made here" and other cases where regulators proved actual ongoing harm.

The Data Protection Commission may appeal the procedural ruling to Ireland's Court of Appeal. The substantive challenge to the €530 million penalty and suspension order remains pending, with hearings potentially scheduled for early 2026.

The procedural determination carries implications beyond TikTok. By confirming that national court procedures apply to privacy regulator decisions, the ruling establishes that similar cases across Europe may face different standards depending on each country's administrative law. The European Data Protection Board's work programme emphasizes enforcement cooperation between regulators, but court oversight remains national.

Justice Mulcahy acknowledged this could create inconsistencies. A privacy regulator's decision might face tougher scrutiny in courts applying one member state's procedures versus another's. However, the judgment concluded this reflects the regulation's deliberate design rather than a defect requiring correction.

The ruling distinguished situations where the European Data Protection Board issues binding decisions through formal dispute resolution. Those decisions come from an EU institution and would likely face the stricter Zuckerfabrik standards. But the Irish commission's decision, even after consultation with other European regulators, remains a national measure.

TikTok's substantive appeal challenges multiple aspects of the commission's analysis. The company argues the regulator made procedural errors by raising new issues in late-stage drafts without allowing adequate response time. TikTok disputes the commission's interpretation of Chinese law and contests calculations that based fines on parent company ByteDance's revenue rather than TikTok's own finances.

The commission maintains its investigation followed proper procedures and accurately assessed Chinese legal frameworks. The regulator relied on laws including China's National Intelligence Law, Counter-Espionage Law, Anti-Terrorism Law and Cybersecurity Law when determining that Chinese authorities could potentially compel access to European user data.

The inquiry began after TikTok disclosed that Chinese employees accessed European Economic Area user information to provide technical support services. TikTok maintained that because data stayed on servers outside China, Chinese law shouldn't apply. The commission disagreed, establishing that remote access itself constitutes a transfer requiring protection assessments.

The investigation examined TikTok's use of Standard Contractual Clauses, pre-approved contract terms that companies can use for international data transfers when the destination country lacks European Commission adequacy determinations. China has no such adequacy finding. Standard Contractual Clauses alone don't satisfy legal requirements if the destination country's laws prevent them from working effectively.

TikTok provided multiple data transfer assessments during the investigation, updating its analysis in October 2021, October 2022, December 2022, October 2023, and July 2024. The company submitted expert reports on Chinese law and described Project Clover security measures including encryption, access controls, and third-party monitoring by NCC Group.

The commission concluded these protections didn't adequately address risks from Chinese government access supported by what it termed "problematic laws." The regulator determined TikTok failed to verify, guarantee and demonstrate that European user data received equivalent protection in China to what it would receive within the European Union.

TikTok's appeal will test those conclusions against conflicting expert testimony about Chinese legal interpretations and technical security measures. The company argues Project Clover provides robust protections that the commission inadequately assessed. The judgment granting delay doesn't address these substantive disputes, focusing solely on whether enforcement should pause during appeal.

Privacy advocacy groups have raised broader concerns about Chinese platforms' data practices. Organization noyb filed complaints in January 2025 against six Chinese technology companies including TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi, arguing their data transfers to China violate European law given Chinese authorities' surveillance powers.

The timing adds complexity to TikTok's regulatory environment. The U.S. Supreme Court upheld legislation in January 2025 requiring ByteDance to divest American operations or cease activities. European regulators have intensified scrutiny while TikTok navigates multiple jurisdictions' conflicting requirements.

European enforcement patterns show significant variation across member states. European Data Protection Board statistics reveal only 1.3 percent of cases resulted in fines between 2018 and 2023, with substantial differences in how aggressively various national authorities pursue violations.

Efforts to standardize GDPR enforcement procedures have faced criticism for adding complexity rather than creating clarity. A proposed procedural regulation meant to streamline cooperation between privacy authorities has been described as creating approximately ten different procedure types instead of simplifying core mechanisms.

German authorities established unified fine procedures in June 2025 to address inconsistencies within their federal system. The initiative aims to standardize enforcement approaches across federal and state levels, reflecting broader concerns about disparate application of common legal requirements.

The Irish court's decision preserves TikTok's current operations during what could be an extended legal process. Appeals in administrative law cases involving complex European regulatory frameworks often require multiple years. The March 2026 hearing target represents an aggressive schedule that may face delays.

Marketing professionals monitoring the case recognize potential implications for digital advertising platforms processing cross-border data. The decision establishes procedural frameworks for challenging privacy regulator decisions, while the substantive appeal will test fundamental questions about when remote access to data stored in one jurisdiction by personnel in another jurisdiction triggers transfer requirements.

The outcome could influence how platforms structure international operations and data flows. TikTok's approach of maintaining central data storage in approved jurisdictions while permitting remote access from various locations reflects common practices across the technology industry. A definitive ruling against that model might force broader architectural changes.

For now, TikTok operates under its existing framework while courts determine whether Irish regulators correctly interpreted European privacy law's application to Chinese remote access scenarios. The 159 million European users continue accessing the platform without service disruptions, unaware that significant legal and technical questions about their data protection remain unresolved.

Timeline

• September 14, 2021: Irish Data Protection Commission commenced inquiry into TikTok's data transfers to China
• July 7, 2022: Commission provided TikTok with Statement of Issues detailing investigation scope
• May 17, 2023: Temporal scope of inquiry concluded; commission issued Preliminary Draft Decision on this date
• February 21, 2025: Draft Decision circulated to all European Economic Area supervisory authorities under Article 60
• March 21, 2025: TikTok disclosed OnCall platform incident involving data storage in China
• April 30, 2025: Irish Data Protection Commission issued final decision with €530 million fine and suspension order
• May 27, 2025: TikTok filed originating notice appealing the decision
• June 5, 2025: Proceedings entered High Court Commercial List with temporary stay granted
• July 14, 2025: Justice Gearty granted judicial review permission for challenge to penalty
• October 7-10, 2025: Four-day hearing on stay application before Justice Mulcahy
• November 13, 2025: High Court delivered judgment granting conditional stay pending appeal

Summary

Who: TikTok Technology Limited and TikTok Information Technologies UK Limited challenged the Irish Data Protection Commission's enforcement decision. Justice Rory Mulcahy presided over the stay application at Ireland's High Court.

What: The court granted TikTok's request to delay suspension of data transfers to China while appealing a €530 million fine and corrective orders. The stay permits TikTok to maintain remote access to European Economic Area user data by Chinese-based personnel pending appeal determination, subject to user notification requirements.

When: Justice Mulcahy delivered the judgment on November 13, 2025, addressing the stay application heard October 7-10, 2025. The underlying decision dates to April 30, 2025, covering violations occurring between July 29, 2020 and May 17, 2023.

Where: Ireland's High Court Commercial Division in Dublin issued the ruling. The decision affects data transfers from the European Economic Area to China, involving 159 million monthly TikTok users across 30 European countries.

Why: The court determined that applying Ireland's national procedural law (the Okunade test) rather than stricter European Union criteria (Zuckerfabrik test) created the least risk of injustice. The judgment balanced TikTok's demonstrated financial harm against limited risks to fundamental rights during the appeal period, concluding that temporary delay in implementing the suspension order would not significantly compromise data protection while avoiding billions in potentially irreversible costs if TikTok's appeal succeeds.