NewsMay 2, 2025
Our Response to the Irish Data Protection Commission Decision on Data Transfers
Christine Grahn, Head of Public Policy & Government Relations - Europe
- The decision fails to fully consider Project Clover, our €12 billion industry-leading data security initiative that includes some of the most stringent data protections anywhere. It instead focuses on a select period from years ago, prior to Clover’s 2023 implementation and does not reflect the safeguards now in place.
- The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.
- With 175 million users across Europe, more than 6,000 employees, and a platform that has helped small businesses contribute €4.8 billion to GDP and over 51,000 jobs, TikTok is deeply integrated into the European economy.
- We disagree with the decision and plan to appeal in full.
Today, Ireland's Data Protection Commission (DPC) announced its final decision in the inquiry into TikTok's compliance with the GDPR’s requirements for transfers of personal data to China.
The decision primarily focuses on a select period from years ago, before the 2023 implementation of Project Clover, our €12 billion data security initiative. The DPC itself recorded in its report what TikTok has consistently said: it has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.
The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm. The decision fails to fully consider these considerable data security measures.
With 175 million users across Europe, more than 6,000 employees in the region, and a platform that helped small businesses contribute €4.8 billion to GDP and over 51,000 jobs, TikTok is deeply integrated into the European economy. This decision has implications not just for TikTok, but for any company in Europe operating globally. We disagree with this decision and intend to appeal it in full.
TikTok has followed the EU's own rules
This is not the DPC's first ruling on data transfers outside of Europe. The authority issued a record breaking fine of €1.2 billion to Meta in 2023, ordering it to suspend data transfers to the US, with the conclusion that the US was not providing "adequate" protection for European personal data.
Just 15 countries have data adequacy agreements with the EU - arrangements that allow for free and trusted data flows across borders. As a result, countless companies rely on what are known as Standard Contractual Clauses, pre-approved legal frameworks for international data sharing, to facilitate remote access to data - referred to as data transfers - to employees based in countries which do not have that status.
The DPC contends that we did not undertake necessary assessments. We strongly contest this, having carried out detailed assessments with advice from external law firms and experts.
Beyond the DPC’s failure to substantively consider the extensive safeguards implemented under Project Clover, we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe. Like many organisations that operate globally, TikTok has used the EU’s own legal framework, specifically, Standard Contractual Clauses to grant tightly controlled and limited access to employees in countries without data adequacy agreements.
This approach is in line with the rules established by the European Union, and we have consistently been transparent about our practices. Unlike some other companies, we clearly explain these mechanisms in our privacy policy and communications with our European community, which now numbers over 175 million people.
Project Clover already delivers unprecedented protections for European user data
In 2023, TikTok began rolling out Project Clover in Europe, a €12bn investment that provides unmatched safeguards for European user data. We recently announced a major milestone in our ongoing commitment to data security in Europe: a €1 billion investment to establish our first data center in Finland. Many global companies operating in Europe have employees in China—including our competitors. But none have taken the steps TikTok has. Through Project Clover, we’ve gone further than anyone in addressing hypothetical risks with real, concrete safeguards:
- Our European data security measures under Project Clover, including remote access and data transfer protocols, are now independently monitored, checked and validated around the clock by the respected European cybersecurity company, NCC Group - a level of independent oversight and transparency unmatched amongst online platforms.
- Our European user data is now stored by default in a dedicated European data enclave, currently hosted across data centres in Europe and the United States.
- We've launched additional digital security barriers, known as security gateways. Independently monitored by NCC Group, these gateways are part of a comprehensive system of technical protocols that ensure only approved employees can access specific types of data, further restricting internal access - including no access to restricted data, such as phone number, email and IP address, stored in the enclave from employees in China.
- Under Project Clover, TikTok has implemented advanced privacy-enhancing technologies (PETs), such as encryption-on-access and differential privacy, to ensure that non-restricted data is de-identified before it can be accessed by employees in China. Crucially, independent cybersecurity experts at NCC Group have verified that these safeguards are working as intended.
If the extensive measures implemented under Project Clover, which are the most robust and stringent data safeguards in our industry and beyond, as well as independent, third-party monitoring by NCC Group—are deemed insufficient, it's reasonable to ask: what would be considered sufficient? It is regrettable that the DPC does not appear to have given these comprehensive protections the substantive consideration they warrant.
Far-reaching implications
This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale. It delivers a blow to the European Union’s competitiveness. Through Project Clover, a voluntary multi-billion-euro initiative, TikTok has implemented a comprehensive solution that offers unmatched protections for European user data and privacy, while safeguarding global data flows and supporting continued innovation.
At a time when European businesses and economies need innovation, growth and jobs, we believe the EU should welcome and support solutions like Project Clover, as a way to facilitate secure data flows between the EU and non-adequate countries, while guaranteeing the most robust protections for European data security and privacy.
NewsMay 2, 2025
European Union