The TikTok Ruling That Changed Data Sovereignty
Updated for 2026
In May 2025, Ireland's Data Protection Commission fined TikTok €530 million. The reason was simple. TikTok sent EU user information to China without proper safeguards.
This is the second-largest single GDPR penalty ever. Only the €1.2 billion Meta fine from 2023 is larger. Ireland's DPC issued that one too — for sending EU records to Facebook's US servers.
Both cases share a clear pattern. Cross-border transfers without proper safeguards draw the largest fines. Regulators will keep pushing until companies change.
Total GDPR fines reached €5.65 billion through 2025. Enforcement is no longer a background risk. It is an active cost of doing business. See our GDPR conformance guide for a practical overview.
What the TikTok Case Decided
This case was not about a breach. It was about where user files go and the legal basis for moving them across borders.
TikTok stored EU user files on servers. Staff in China could access those servers. GDPR Articles 44–46 restrict transfers to countries without an EU adequacy decision. China has no such decision. TikTok said it had adequate technical measures. Regulators said no.
The lesson is simple. Hosting in the EU is not enough if staff outside the EU can access the files. It is also not enough if the company must follow laws from a non-adequate country.
This matters when you pick SaaS vendors. A vendor may say "we host in the EU." But if their parent is based elsewhere, the same risk applies. If their support staff access user files from outside the EU, the same risk applies. Their customers share that risk too. Check our compliance alignment checklist before signing a DPA.
GDPR Fines: €5.65 Billion and Counting
| Enforcement Action | Fine | Year | Grounds |
|---|---|---|---|
| Meta (Facebook) — DPC | €1.2B | 2023 | Illegal EU-US transfers |
| TikTok — DPC | €530M | 2025 | EU-China transfers |
| Amazon — CNPD Luxembourg | €746M | 2021 | Advertising targeting |
| WhatsApp — DPC | €225M | 2021 | Transparency failures |
| Google — CNIL France | €150M | 2022 | Cookie consent |
Regulators moved from setting rules to enforcing them. Transfer violations now draw the biggest fines. Learn how we handle security and safeguards.
Germany, Switzerland, and Sector Rules
GDPR Articles 44–46 apply to all sectors. But some industries face extra rules on top of GDPR.
German healthcare: Social Code Book V (SGB V) limits health documents to German-controlled systems. A German insurer may use a cloud de-identification tool in Dublin — that is EU. But it may still break SGB V if the tool's owner is a non-German firm.
Swiss banking: Article 47 of the Banking Act bans sharing client documents with outside parties. That includes cloud providers without explicit client consent. A Swiss bank's customer files, even in an EU-hosted tool, may trigger this law.
German public sector: BfDI guidance limits government documents to government-run systems. A de-identification tool on a commercial cloud provider's EU servers does not meet this standard.
The lesson: GDPR alignment is the floor, not the ceiling. Many sectors face stricter rules. Our entity processing overview maps which rules apply by sector.
Who Has an Adequacy Decision?
The GDPR lets countries exchange user information freely if the European Commission says they provide equal protection. These countries qualify:
Andorra, Argentina, Canada (commercial groups), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay, and the USA (Data Privacy Framework).
These countries do not qualify: China, India, Russia, Brazil, most of Asia-Pacific, most of the Middle East, most of Africa.
The EU-US Data Privacy Framework is back in force. But it is still being challenged in court. The same legal arguments killed Safe Harbor (Schrems I) and Privacy Shield (Schrems II). Companies using this framework should plan for another invalidation.
Four Levels of Protection for Tool Selection
The TikTok and Meta cases create a clear ranking for SaaS tool evaluation.
Level 1 — EU hosting: User information is processed and stored on EU servers. This meets the GDPR baseline for most use cases.
Level 2 — EU-based operator: The vendor's parent is EU-based. It is not subject to non-adequate country laws. This fixes the TikTok problem. EU hosting paired with Chinese-law exposure for the parent is not safe.
Level 3 — Zero-knowledge design: Even if the vendor is hacked or gets a court order, they cannot read your files. You hold the encryption keys. They hold only ciphertext. Read about our zero-knowledge approach.
Level 4 — Local processing: Your documents never leave your own systems. Processing runs on local hardware or government-controlled machines. This is the only way to fully meet German SGB V, Swiss banking secrecy, and BfDI rules. See our pricing plans for Desktop App options.
DPIAs After TikTok
GDPR Article 35 requires a Data Protection Impact Assessment for high-risk processing. This is called a DPIA. When user files go to third-country processors, you also need a transfer impact assessment.
After TikTok, DPIAs for cloud redaction tools must answer four questions.
Parent jurisdiction: Is the vendor's parent subject to laws — CLOUD Act, Chinese cybersecurity law — that could force them to hand over EU user files?
Staff access: Do staff in non-adequate countries access EU user files in normal operations?
Legal basis: What GDPR Article 46 mechanism covers any transfers — SCCs, BCRs, or derogations?
Breach impact: If the vendor is hacked or compelled to hand over documents, what gets exposed?
TikTok showed that contracts alone are not enough. You must assess them for adequacy. Document your answers. Browse our FAQ for common DPIA questions.
2026 Procurement Questions
DPOs now ask very specific questions when reviewing SaaS vendors for personal information processing tools.
- Where are the servers located? (EU?)
- Where is the parent company based? (EU? US? Other?)
- Do non-EU staff access EU customer files?
- What law governs court orders for personal documents?
- Does the vendor hold encryption keys, or do you?
- Is there a local processing option?
The answers to these questions — not DPA signatures alone — determine real sovereignty alignment. Learn how anonym.legal was built to answer all of them at our founder statement. You can also browse our glossary of key terms for quick definitions of SCCs, BCRs, and adequacy decisions.
The post-TikTok environment is clear. Regulators watch cross-border transfers closely. Fines are large. They are rising. Your vendor choice is now a regulatory decision. It is not just a technical one.
anonym.legal uses EU-based Hetzner data centers with zero-knowledge design. The server never sees your plain-text content. A full server breach yields only AES-256-GCM ciphertext. Need local-only processing? The Desktop App runs entirely on your device with no external connections.
Sources
- Irish DPC: TikTok €530M Fine Decision — VERIFIED-EXTERNAL
- Wire: Digital Sovereignty 2025 — VERIFIED-EXTERNAL
- GDPR.eu Enforcement Tracker — VERIFIED-EXTERNAL