National Procedural Autonomy and Stays of GDPR Supervisory Decisions: Commentary on TikTok Technology Ltd v Data Protection Commission [2025] IEHC 619

National Procedural Autonomy and Stays of GDPR Supervisory Decisions:
Commentary on TikTok Technology Ltd & TikTok Information Technologies UK Ltd v Data Protection Commission [2025] IEHC 619

1. Introduction

This High Court judgment (Mulcahy J, 13 November 2025) addresses a highly significant remedial question at the intersection of EU data protection law and national procedural autonomy: what test should an Irish court apply when asked to stay a decision of the Irish Data Protection Commission (DPC) made under the GDPR’s one-stop-shop mechanism?

The Data Protection Commission had adopted an extensive decision against TikTok Technology Ltd (TikTok Ireland) on 30 April 2025, following an own-volition inquiry into the transfer of personal data of European Economic Area (EEA) users to China. The DPC found that TikTok had:

  • Infringed Article 46(1) GDPR by failing to ensure an “essentially equivalent” level of protection for data accessed from China; and
  • Breached Article 13(1)(f) GDPR by not adequately informing data subjects about these transfers between 29 July 2020 and 1 December 2022.

The DPC imposed administrative fines of €530 million and ordered TikTok to:

  • Suspend its data transfers / remote access from China under Article 58(2)(j) GDPR (“the Suspension Order”); and
  • Bring its processing into compliance with the GDPR under Article 58(2)(d) (“the Corrective Order”).

TikTok appealed the Decision under sections 142 and 150 of the Data Protection Act 2018 (the 2018 Act) and sought a stay of the Suspension and Corrective Orders pending that appeal. By statute, the fines were automatically stayed; the corrective measures were not. TikTok argued that implementing the Suspension Order would require “billions” in expenditure, significant workforce reconfiguration, and irreversible business disruption — harm that could not be fully compensated later, even if the appeal succeeded.

The DPC opposed the stay, emphasising the fundamental rights of approximately 159 million monthly EEA users and contending for a higher “EU law” interim relief standard (the Zuckerfabrik test) rather than the Irish domestic Okunade test.

This judgment therefore sets an important precedent by:

  • Confirming that decisions of national supervisory authorities under the GDPR’s Article 60 one‑stop‑shop remain national measures for the purposes of interim relief; and
  • Holding that Irish courts will apply their own national stay/interlocutory injunction test (Okunade), not the stricter CJEU Zuckerfabrik criteria, to such applications.

The Court nonetheless carefully cross-checks its conclusion against the Zuckerfabrik framework and finds that, even if that EU-law standard applied, the outcome would be the same.

2. Factual and Procedural Background

2.1 Parties

  • Applicants:
    • TikTok Technology Limited (TikTok Ireland) – the controller for TikTok’s EEA operations.
    • TikTok Information Technologies UK Limited (TikTok UK) – joined as a party as the entity allegedly responsible for paying any fines. The DPC contests its standing, but this point is parked for now.
  • Respondent:
    • Data Protection Commission – the Irish supervisory authority under the GDPR and the lead supervisory authority (LSA) for TikTok’s cross-border processing.

2.2 The DPC Inquiry and Decision

The DPC’s investigation started as an own-volition inquiry under s.110 of the 2018 Act in September 2021, triggered by:

  • Information from TikTok that certain China-based personnel accessed EEA user data for support, engineering, maintenance and development; and
  • Requests from other EU supervisory authorities (notably the French CNIL) and concerns raised by a Dutch NGO.

The DPC:

  • Obtained TikTok’s Data Transfer Assessments (DTAs) for China, updated several times between 2021–2024.
  • Issued a Statement of Issues in July 2022, framing five core issues, including TikTok’s use of Standard Contractual Clauses (SCCs), any reliance on Article 49 derogations, the adequacy of its assessment of Chinese law, the sufficiency of supplementary measures (including “Project Clover”), and compliance with Article 13(1)(f) GDPR.
  • Issued a Preliminary Draft Decision (PDD) on 17 May 2023, provisionally finding infringements of Articles 46(1) and 13(1)(f), and proposing fines and corrective orders.
  • Considered extensive further submissions, legal opinions on Chinese law, technical reports (including on Project Clover and pseudonymisation), and updated DTAs (notably the July 2024 DTA).
  • Produced a Draft Decision in February 2025 and circulated it to 46 other supervisory authorities as “supervisory authorities concerned” (SACs) under Article 60 GDPR.

No SAC raised a “reasoned objection”. Thus the DPC, as LSA, adopted its final Decision on 30 April 2025, with non-material adjustments. The temporal scope of the infringement finding was confined to 29 July 2020 – 17 May 2023.

2.3 The Orders and the Appeal

The Decision:

  • Found that TikTok had failed to adequately assess and address risks from Chinese law (including the National Intelligence Law, Counter‑Espionage Law, Anti‑Terrorism Law, and Cybersecurity Law) and hence had failed to demonstrate that EEA user data accessed from China enjoyed equivalent protection to that within the EU (Article 46(1)).
  • Found that, until December 2022, TikTok had not properly informed users about the transfers and remote access to China (Article 13(1)(f)).
  • Imposed fines totalling €530 million.
  • Ordered TikTok to:
    • Suspend the data transfers / remote access from China (Suspension Order) six months after the Decision, under Article 58(2)(j); and
    • Bring processing into compliance with the GDPR (Corrective Order), also effective after six months, under Article 58(2)(d).

TikTok appealed under ss.142 and 150 of the 2018 Act, raising:

  • Substantive issues: alleged misinterpretation of Chinese law; errors in applying Schrems II; mischaracterisation of TikTok’s SCCs and supplementary measures (Project Clover); over-reliance on what TikTok calls “negative” findings (failure to prove equivalence) rather than any “positive” finding that an equivalent level of protection does not exist.
  • Procedural/fair procedures issues: reliance on matters first raised in the Article 60 Draft Decision without a further preliminary decision; alleged failure to properly engage with new, post‑PDD measures; refusal to issue a revised PDD.
  • Penalties: including alleged improper use of ByteDance group turnover in calculating fines.

By operation of s.142, only the fines were automatically stayed. TikTok therefore applied for a stay of the Suspension and Corrective Orders. An interim stay was granted at entry into the Commercial List and extended pending the full hearing of this stay application in October 2025.

2.4 The Confidentiality Order (Section 156, 2018 Act)

TikTok sought, and obtained, a protective order under s.156 of the 2018 Act to prevent disclosure of commercially sensitive information referenced in affidavits and exhibits for the stay application. Mulcahy J emphasised that:

  • S.149(5) requires the DPC, when publishing decisions, to avoid disclosing commercially sensitive information.
  • It would “wholly undermine” that statutory protection – and the effectiveness of remedies under the GDPR/2018 Act – if parties had to forfeit such confidentiality in order to challenge a DPC decision.
  • The order was less restrictive than an in camera hearing and thus the least restrictive means of protecting the interests the statute recognised.

The Court thus carefully balanced open justice with protection of trade secrets, limiting non‑disclosure to information within the statutory confidentiality regime.

3. Summary of the Judgment

The key holdings of the High Court may be summarised as follows:

  1. Applicable test for a stay:
    • A DPC decision made under the GDPR’s Article 60 one-stop-shop mechanism is not an EU institution act, but remains a national measure of the Irish supervisory authority.
    • The GDPR (in particular Recital 143 and Article 78) deliberately leaves challenges to such decisions to national courts applying national procedural law.
    • Therefore, the appropriate test for a stay is the Okunade test (as clarified in Dowling), not the Zuckerfabrik interim relief standard.
  2. Serious issue to be tried:
    The DPC accepted that TikTok’s appeal raises serious issues or “serious doubts as to the validity” of the Decision, satisfying both the Okunade “arguable case” standard and the Zuckerfabrik merits threshold.
  3. Irreparable / non‑adequately compensable harm to TikTok:
    • If the Suspension Solution were implemented (massive anonymisation / removal of access from China; relocation or redundancy of thousands of staff; extensive system reconfiguration), TikTok would incur very significant financial loss, conservatively assessed in the billions of US dollars.
    • Although this loss is pecuniary, damages are not an adequate remedy:
      • Francovich damages are uncertain and difficult to obtain, especially where the DPC enjoys domestic statutory immunity (s.154 2018 Act) and where some appeal grounds are domestic law/fair procedures points.
      • The damages are extremely difficult to quantify in a dynamic online platform market, lack benchmarking, and involve intangible elements (goodwill, market share, brand, competitive position) which in practice may be impossible to value accurately.
    • Applying the logic of the CJEU’s Amazon (interim measures) decision, such unquantifiable financial harm is serious and irreparable for the purpose of interim relief analysis.
  4. Balancing of interests / least risk of injustice:
    • The Court must give considerable weight to the need to implement a presumptively valid DPC decision, especially one aimed at protecting fundamental rights to data protection (Article 8 EU Charter) of 159 million EEA users.
    • However, several factors attenuate the risk to those rights if a stay is granted for a short, controlled period:
      • The DPC’s key infringement finding is essentially “negative” – that TikTok failed to demonstrate equivalence – rather than a positive finding that insufficient protection actually exists.
      • The finding relates to a past temporal scope (July 2020–May 2023); there is no explicit positive finding of ongoing infringement post‑Project Clover.
      • The DPC did not treat the situation as so urgent as to invoke the Article 66 GDPR urgency mechanism; the inquiry and decision unfolded over years, and the DPC allowed a six‑month compliance period.
      • The DPC itself acknowledged that the exact risk of Chinese authorities accessing data is uncertain.
      • EEA users have, since December 2022, been informed that their data may be remotely accessed from China.
    • Given that the substantive appeal can be heard within roughly the same timeframe as the six‑month implementation window, a short, conditional stay inflicts relatively little prejudice on the public interest, while avoiding potentially massive irreversible harm to TikTok if the Decision is ultimately quashed or varied.
  5. Admissibility of new evidence on the stay:
    • The Court rejected the admissibility of:
      • Evidence from the EDPB Chair (Ms Talus) largely consisting of legal argument and policy opinion.
      • Evidence from a technical expert (Dr Hunton) that introduced new and different grounds (e.g. malicious actors, inadequate information) that were not part of the DPC’s reasoning in the Decision.
      The DPC cannot buttress the Decision post hoc with new rationales when arguing against a stay.
    • However, the Court allowed Chinese law evidence from Prof. Zang, and rebuttal evidence from TikTok’s experts, insofar as it related to assessing the real-world level of risk during the stay period (not the legality of the Decision itself, which is reserved to the appeal).
    • TikTok’s additional technical evidence (Project Clover, pseudonymisation, etc.) was admissible to assess actual risk and balance of convenience, not to decide the merits of the appeal.
  6. Outcome and Conditions of the Stay:
    • The Court granted a stay on:
      • the Suspension Order, and
      • the Corrective Order,
      pending determination of TikTok’s appeal in the High Court.
    • The stay is subject to two key conditions:
      1. Expedited prosecution of the appeal: TikTok must prosecute the appeal with all reasonable diligence and ensure, so far as lies within its control, that the appeal is heard by March 2026.
      2. User notification: TikTok must notify its users, in a manner to be agreed or directed by the Court, in clear and understandable terms:
        • of the DPC’s Decision and its material findings; and
        • that TikTok has appealed and that a stay of the corrective measures has been granted.
    • Both parties have liberty to apply regarding continuation or modification of the stay.

4. Legal Framework

4.1 GDPR Provisions

The Court’s reasoning relies heavily on the structure and objectives of the GDPR:

  • Fundamental rights basis:
    • Recital 1 and Article 8 of the Charter: the right to protection of personal data.
    • Recital 4: data protection must be balanced with other fundamental rights, including the right to an effective remedy and fair trial.
  • Cross‑border transfers (Chapter V, Articles 44–46, 49):
    • Article 44: transfers to third countries must not undermine the level of protection guaranteed by the GDPR.
    • Article 45: adequacy decisions by the Commission.
    • Article 46: transfers on the basis of appropriate safeguards (e.g., SCCs), provided enforceable rights and effective remedies are available.
    • Article 49: limited derogations, including explicit informed consent.
  • Supervisory architecture and one‑stop shop:
    • Articles 51, 56, 58: supervisory authorities’ investigative and corrective powers.
    • Article 60: co-operation between lead supervisory authority (LSA) and supervisory authorities concerned (SACs), including the draft decision, reasoned objections and, if necessary, recourse to the EDPB under Article 65.
    • Recitals 124–126: emphasise a co-operative, “one-stop shop” across the EU, with decisions “agreed jointly” and binding on the controller or processor.
  • Urgent action:
    • Article 66(1): allows supervisory authorities, in exceptional urgent cases, to adopt provisional measures derogating from the Article 60/consistency mechanism for up to three months.
  • Judicial remedies:
    • Article 78 GDPR & Recital 143: Member States must provide an effective judicial remedy against legally binding decisions of supervisory authorities; such proceedings are to be brought before the courts of the Member State where the authority is established and be conducted “in accordance with that Member State’s procedural law”.
    • Recital 143 further makes a clear distinction between:
      • actions to annul decisions of the EDPB before the CJEU (Article 263 TFEU), and
      • national court proceedings challenging decisions of national supervisory authorities.

4.2 Data Protection Act 2018 (Ireland)

  • Sections 108–111: empower the DPC to conduct inquiries (own-volition or complaint-based) and impose corrective measures.
  • Section 142: provides a statutory appeal and an automatic stay on fines, but not on corrective orders.
  • Section 149(5): confidentiality of commercially sensitive information in published decisions.
  • Section 154: statutory immunity for the DPC and its staff for acts done in good faith in performance of its functions.
  • Section 156: allows the court to hear proceedings (or parts) otherwise than in public, to protect e.g. commercially sensitive material.

4.3 EU Law on Interim Relief: Zuckerfabrik vs Unibet

The judgment draws a central distinction between two strands of CJEU jurisprudence:

  1. Zuckerfabrik line (Zuckerfabrik; Atlanta; ABNA)
    Applies where:
    • a national court is asked to suspend a national measure that gives effect to an EU regulation or directive, and
    • the validity of the underlying EU measure is itself challenged before the CJEU (usually via a preliminary reference).
    In such cases, uniform CJEU-derived conditions must apply to interim relief:
    • Serious doubts as to the validity of the EU measure (merits test).
    • Urgency: risk of serious and irreparable damage before final decision.
    • Due regard for the interests of the EU and the Union legal order (EU interests test).
  2. Unibet line
    In Unibet (London) Ltd v Justitiekanslern (C-432/05), the CJEU distinguished cases where:
    • the validity of the EU measure itself is not in issue; instead, a national measure is challenged as being contrary to EU law.
    In such situations:
    • There is no requirement to apply Zuckerfabrik conditions.
    • Interim relief is governed by national procedural law, subject to:
      • Equivalence – EU-based challenges must not be treated less favourably than similar domestic ones; and
      • Effectiveness – national rules must not make it impossible or excessively difficult to exercise EU rights.

4.4 Irish Law: Okunade and Dowling

The leading Irish test for stays and interlocutory injunctions in public law cases is Okunade v Minister for Justice [2003] 3 IR 153. The Supreme Court held that, once an arguable case is established, the court must determine where the “greatest risk of injustice” lies, taking into account:

  • The presumption of validity and public interest in implementing lawful schemes.
  • The consequences for the applicant of having to comply with the impugned measure if it is later held unlawful.
  • Whether damages are an adequate remedy (and whether any undertaking as to damages is realistic).
  • The strength or weakness of the case where it can be assessed without complex fact-finding.

In Dowling v Minister for Finance [2013] 4 IR 576, the Supreme Court confirmed that Okunade satisfies the EU principles of equivalence and effectiveness where EU-law issues are raised, and recognised – echoing Unibet – that different Member States may reach different interim relief outcomes under their own procedural rules.

4.5 Other Key Authorities Referenced

  • Eircom v ComReg [2022] IEHC 165: MacDonald J applied Zuckerfabrik to interim relief in an appeal under the electronic communications Framework Regulations, on the basis that the EU Directive regime required harmonisation of interim relief standards.
  • Three Ireland v ComReg [2022] IECA 300: the Court of Appeal accepted (obiter) that the tension between recital language and operative provisions on interim relief could justify further analysis or even a reference, but did not decide the issue because Three had accepted Zuckerfabrik in the High Court.
  • Word Perfect Translation Services v Minister for Public Expenditure [2018] IECA 35: Court of Appeal emphasised the difficulty of recovering Francovich damages as a reason why damages may not be an adequate remedy when considering interim relief in public procurement cases.
  • Curust Financial Services v Loewe-Lack-Werk [1994] 1 IR 450: difficulty in calculating damages does not automatically render them an inadequate remedy, but this is context-specific; here, the Court contrasts a stable rust-primer market with dynamic global platform markets.
  • Amazon Services Europe Sàrl v Commission (C-639/23 P(R)): CJEU (Vice‑President) decision on interim measures under the Digital Services Act, recognising that unquantifiable financial harm due to mandatory transparency obligations can be “irreparable” for the purpose of urgency, but ultimately refusing interim relief due to overriding EU interests in effective implementation of the DSA.
  • Schrems II (C‑311/18): CJEU confirmed that supervisory authorities are required to suspend or prohibit transfers where SCCs cannot ensure an essentially equivalent level of protection and no other means can cure the deficiency.
  • Facebook Ireland v Gegevensbeschermingsautoriteit (C‑645/19): important guidance on the GDPR one-stop-shop mechanism and the roles of LSA and SACs.

5. Core Legal Issues and the Court’s Reasoning

5.1 Is a DPC Decision under Article 60 GDPR a National or EU Measure?

The DPC argued that:

  • Because decisions are reached via Article 60 co-operation and have binding EU/EEA-wide effects, they are functionally akin to EU measures.
  • As such, national courts should apply Zuckerfabrik to any application to suspend them, to ensure uniformity throughout the Union.

TikTok countered that:

  • The Decision “belongs” to the Irish DPC alone, even if reached in co-operation with other authorities.
  • The GDPR expressly assigns challenges to such decisions to national courts applying national procedural law, barring any harmonisation of interim relief standards.

Mulcahy J accepted TikTok’s analysis. Key points:

  • The DPC is not an EU institution; it is a national supervisory authority established under Article 51 GDPR and the 2018 Act.
  • Even though Article 60 involves extensive co-operation, the final Decision remains that of the LSA (here, the DPC) and:
    • is challengeable only in the courts of the Member State where that authority is established;
    • there is no suggestion that it is jointly adopted in a way that would open it to judicial review in multiple Member States.
  • The GDPR explicitly recognises that decisions implementing Article 65 EDPB rulings and decisions of the Board itself are juridically different:
    • EDPB decisions may be subject to annulment actions before the CJEU (Article 263 TFEU, Recital 143);
    • Supervisory authority decisions must be challenged in national courts under national procedure (Article 78, Recital 143).
  • The fact that a decision has cross-border binding effect on other supervisory authorities (Article 60(6)) flows from the one-stop-shop, not from any intention to transform such decisions into EU legislative or executive acts.

Thus, the case does not fall within the Zuckerfabrik paradigm (where the validity of an EU act itself is at stake). It is squarely within the Unibet paradigm: a challenge to a national measure alleged to be inconsistent with EU law, to be governed by national procedural autonomy subject to equivalence and effectiveness.

5.2 Does the GDPR Require Harmonisation of Interim Relief Standards?

The DPC contended that uniform interim relief standards are necessary to avoid fragmenting GDPR enforcement and to forestall “forum shopping”. The Court responded:

  • Recital 143 is explicit: proceedings against supervisory authorities “should be conducted in accordance with that Member State’s procedural law”.
  • The GDPR carefully harmonises substantive rights and the decision-making/co-operation mechanism among supervisory authorities, while deliberately leaving procedural mechanisms of judicial control to Member States.
  • The risk of divergent national approaches is an inherent and accepted feature of EU law where national procedural autonomy applies, as recognised in Dowling and Unibet.
  • The one-stop-shop structure significantly mitigates any risk of conflicting substantive decisions regarding the same processing — only one LSA issues the relevant decision, binding SACs; interim relief in national courts does not create multiple conflicting decisions, but only temporary variations in enforcement.
  • Arguments from “forum shopping” are unpersuasive in this context:
    • Controllers cannot easily re‑locate “lead establishment” simply to obtain a more favourable stay test in a hypothetical future dispute.
    • Irish procedural rules have already been found to meet equivalence and effectiveness; they are not uniquely permissive.

Consequently, the Court finds that the GDPR does not harmonise or prescribe a CJEU‑style interim relief standard for national judicial proceedings challenging supervisory decisions. National procedural autonomy remains the rule.

5.3 Adequacy of Damages / Serious, Irreparable Harm

The Court undertook a detailed analysis of whether damages would be an adequate remedy for TikTok if:

  • It were compelled to implement the Suspension and Corrective Orders now; and
  • Later succeeded in having the Decision quashed or varied on appeal.

Key elements of the Court’s reasoning:

  • Significant pecuniary harm established:
    • On the basis of extensive affidavit and expert evidence (TikTok internal personnel, economists, technical experts), the Court accepted that TikTok would probably incur billions in lost profit contribution and extra costs.
    • The DPC’s methodological criticisms did not seriously undermine the overall evidence, particularly given absence of cross-examination.
  • Nature of loss: predominantly financial, but still “irreparable”:
    • Loss of workforce know‑how, reputational harm, and degraded user/advertiser experience are ultimately economic in nature in the corporate context.
    • However, the fact that loss is pecuniary does not automatically make damages “adequate” or harm “reparable”.
  • Francovich damages are uncertain:
    • The 2018 Act grants the DPC statutory immunity for acts done in good faith (s.154), raising complex questions about any potential Francovich liability.
    • Some grounds of appeal are purely domestic (fair procedures, natural and constitutional justice), potentially outside the Francovich framework.
    • Word Perfect confirms that difficulties in obtaining Francovich damages can justify treating damages as inadequate for interim‑relief purposes.
  • Quantification is virtually impossible:
    • Unlike the stable market in Curust, the global social media/online platform environment is volatile and unique; no comparable “benchmarking” exists for the kind of disruption a Suspension Order would cause.
    • Losses would be multi‑dimensional (revenue, user engagement, share of global advertising, longer‑term brand erosion, opportunities foregone, strategic positioning) and would unfold over many years.
    • As the CJEU indicated in Amazon, incalculable pecuniary harm can be “irreparable” in the interim measures context.

Mulcahy J therefore concludes that, both under Okunade and even under Zuckerfabrik (via the Amazon approach), TikTok faces serious, irreparable harm if a stay is refused and the appeal later succeeds.

5.4 Balancing Exercise: TikTok’s Interests vs Fundamental Rights / EU Interests

This is the crux of the Okunade analysis: where does the greatest risk of injustice lie, given:

  • the high public interest in implementing a presumptively valid GDPR enforcement decision protecting fundamental rights; and
  • the significant, not readily compensable harm to TikTok if the Suspension Order is implemented but later held unlawful?

Factors favouring TikTok:

  • Timescale:
    • The Decision built in a six-month grace period.
    • The appeal can, realistically, be heard before the end of that implementation window, or shortly thereafter.
    • The stay therefore only extends the existing delay marginally, rather than postponing implementation for years.
  • Nature and scope of DPC findings:
    • The Article 46(1) infringement is framed as TikTok’s failure to adequately assess and demonstrate an equivalent level of protection, not as an unequivocal finding that such protection does not or cannot exist.
    • The infringement period is confined to July 2020 – May 2023. The DPC separately considered post‑PDD Project Clover measures in assessing whether to impose a Suspension Order but did not find a formally distinct ongoing breach in explicit terms.
    • Though the DPC considered Project Clover, TikTok has since further refined and implemented these measures; there is uncontroverted evidence that no Chinese authority has ever requested EEA user data.
  • DPC’s own assessment of urgency:
    • The inquiry lasted years and involved considerable iterative engagement; the DPC did not consider the situation so urgent as to invoke Article 66’s emergency powers.
    • This signals that the DPC did not view the risk as imminently catastrophic, even in its own expert evaluation.
  • User awareness:
    • Since December 2022, TikTok’s EEA privacy policy has informed users that data is stored in Singapore and the US and remotely accessed by entities in China (and other countries).
    • While this is not equivalent to explicit Article 49(1)(a) consent, it reduces the informational asymmetry and may mitigate some aspects of rights impact during the short stay.

Factors favouring refusal of a stay (DPC/Union interests):

  • Fundamental rights at stake:
    • The right to data protection and privacy is a Charter right; cross-border transfers to a jurisdiction with widely acknowledged surveillance and security powers pose a non-trivial risk.
    • There are 159 million EEA users; many are minors or young adults, whose protection warrants particular care.
  • Presumption of validity and Schrems II duty:
    • Schrems II makes clear that if a supervisory authority concludes that SCCs and supplementary measures cannot ensure an equivalent level of protection, it must suspend or prohibit transfers.
    • That conclusion is currently presumptively valid and must be given “all appropriate weight” under Okunade.

Mulcahy J holds that, on the specific facts, a short, condition-laden stay until the appeal is heard minimises the risk of injustice:

  • The incremental additional risk to fundamental rights from a few more months of transfers, when weighed in light of:
    • the Decision’s negative/assessment-based nature;
    • the absence of any known access request from Chinese authorities;
    • the existence of substantial security measures (Project Clover; pseudonymisation); and
    • user notification obligations now imposed by the Court;
    is comparatively limited.
  • By contrast, requiring TikTok to implement the Suspension Solution immediately could inflict irreversible structural and economic damage, which cannot be meaningfully unwound if the Decision is later overturned.

The Court distinguishes Amazon on the basis that there, the contested Commission designation was central to the implementation of the Digital Services Act structure itself, with a stay threatening to delay the realisation of EU‑wide policy objectives for years. Here, the stay only concerns a single enforcement decision against a specific controller under an already operative GDPR system.

5.5 Admissibility of Evidence at the Stay Stage

The judgment offers valuable guidance on what evidence is permissible at the stay stage in an appeal against a regulatory decision:

  • The Court:
    • May not re‑decide the merits or remake the decision on the basis of new evidence; the focus is the risk of injustice pending appeal, not the underlying validity.
    • May consider evidence relevant to:
      • the extent and nature of harm to the applicant if a stay is refused;
      • the real-world level of risk to public interests/fundamental rights during the stay period; and
      • changed circumstances since the decision, insofar as these affect the balancing exercise.
    • Must not allow the regulator to introduce new substantive grounds or factual bases to justify the decision post hoc when opposing a stay.

Applying those principles:

  • Evidence from the EDPB Chair and from Dr Hunton was largely inadmissible: it comprised legal submissions and new rationales (e.g. malicious actors, alleged lack of information) not forming part of the DPC’s original reasoning.
  • Evidence from Prof. Zang and TikTok’s Chinese law experts, and additional technical evidence on Project Clover and pseudonymisation, was admissible only to determine the scale of risk during the stay period, not to pre‑judge the appeal.

6. Precedents and Their Influence

6.1 Zuckerfabrik and Unibet

The Court follows the distinction carefully drawn in Zuckerfabrik and Unibet:

  • Zuckerfabrik: national courts faced with challenges to national acts that directly implement EU regulations which are themselves attacked as invalid must apply EU‑specified interim relief rules, to ensure coherence between:
    • preliminary references challenging validity; and
    • direct annulment actions before the CJEU.
  • Unibet: where there is no direct challenge to an EU act’s validity, but only a claim that national law is incompatible with EU law, interim relief is governed by national procedural law.

Here, TikTok is:

  • Not challenging an EU regulation or decision as invalid; it is challenging the lawfulness of a national supervisory authority’s decision applying the GDPR.
  • Bringing that challenge only before the Irish High Court, the forum designated by the GDPR and national law.

Hence, Unibet and Dowling point clearly towards application of Okunade, not Zuckerfabrik.

6.2 Dowling and Word Perfect

Dowling is pivotal. It confirms that the Okunade test is fully compatible with:

  • Classification of EU rights as domestic rights justiciable before Irish courts; and
  • The twin requirements of equivalence and effectiveness under EU law.

Word Perfect, though a public procurement case, strongly influenced the Court’s approach to damages inadequacy here. It recognised that:

  • Where Francovich damages are difficult and constrained, they do not, in practical terms, provide a robust or effective remedy.
  • This difficulty must be considered in the balance when assessing whether to grant interim relief.

6.3 Eircom, Three Ireland, and the Limits of Harmonisation

Eircom and Three Ireland show that in certain sectors, EU directives may in effect require harmonised interim relief standards. But they are context-specific:

  • The electronic communications Framework Directive contained express (if somewhat ambiguous) language and recitals dealing with effective judicial remedies and interim measures.
  • The High Court in Eircom felt constrained to adopt a Zuckerfabrik-style approach based on the directive’s structure.
  • In Three Ireland, the Court of Appeal noted the tension between recitals and operative text and indicated that, had the point been open, a preliminary reference might have been warranted.

By contrast, the GDPR’s operative provisions and recitals (especially Recital 143 and Article 78) expressly affirm the primacy of national procedural law for challenges to supervisory decisions. No comparable textual basis for harmonising interim relief exists.

6.4 Schrems II and the Duty to Suspend

The DPC relied heavily on Schrems II, where the CJEU held that supervisory authorities must suspend or prohibit transfers where SCCs and supplementary measures cannot ensure an adequate level of protection. Mulcahy J accepts that:

  • This duty applies to supervisory authorities when they reach such a conclusion on the merits; and
  • The DPC’s Decision is presumptively valid until set aside on appeal.

However, Schrems II does not speak to the powers of national courts on interim relief applications. The Court must still:

  • Guarantee an effective judicial remedy for controllers and processors; and
  • Conduct a balancing exercise under national law (Okunade) to minimise overall injustice.

6.5 Amazon and the Concept of Irreparable Pecuniary Harm

The Amazon interim relief decision is used by the Court as a comparative point of reference for assessing whether:

  • Large, unpredictable, and complex financial losses can count as “irreparable” for interim relief purposes; and
  • The EU interest in effective enforcement of new regulatory regimes may sometimes override such harm.

Mulcahy J follows Amazon in accepting that:

  • Even purely financial harm can be irreparable when it cannot be meaningfully quantified or compensated.

But he distinguishes this case from Amazon when weighing Union interests:

  • The Digital Services Act’s implementation objectives would have been substantially delayed EU‑wide if interim relief were granted in Amazon.
  • Here, the stay affects only one enforcement decision against a single controller; the GDPR framework continues to function unimpeded for all other controllers and in all other Member States.

7. Complex Concepts Simplified

7.1 GDPR “One-Stop-Shop” and Article 60

Under the GDPR’s “one-stop-shop”:

  • For cross-border processing, one supervisory authority – typically where the controller’s main establishment is located (here, Ireland) – acts as the lead supervisory authority (LSA).
  • Other supervisory authorities affected by the processing are “supervisory authorities concerned” (SACs).
  • The LSA drafts a decision, circulates it to SACs, and must “take utmost account” of reasoned objections; unresolved disputes may be referred to the European Data Protection Board (EDPB).
  • When consensus (or an EDPB binding decision) is reached, the LSA adopts the final decision.

This mechanism aims to make cross-border enforcement more coherent and efficient while still leaving procedural control of judicial remedies to national courts.

7.2 Standard Contractual Clauses (SCCs) and Article 46 GDPR

Where the European Commission has not declared a third country “adequate” (Article 45), controllers may still transfer personal data by relying on SCCs – standardised clauses containing contractual obligations regarding data protection between exporter and importer.

However:

  • SCCs bind the contracting parties, not the foreign state or its intelligence agencies.
  • Post‑Schrems II, controllers using SCCs must:
    • Assess the legal framework of the third country (including surveillance laws); and
    • Adopt supplementary technical, organisational, and contractual measures if necessary to ensure an essentially equivalent level of protection.

7.3 Procedural Autonomy, Equivalence and Effectiveness

  • Procedural autonomy: EU law generally leaves Member States free to design their own court procedures, provided EU rights are adequately protected.
  • Equivalence: procedures for enforcing EU rights must not be less favourable than those for similar domestic claims.
  • Effectiveness: procedures must not make it “practically impossible or excessively difficult” to exercise EU rights.

Okunade (as endorsed in Dowling) is Ireland’s way of reconciling these principles for interim relief.

7.4 Francovich Damages

“Francovich damages” refer to state liability in damages for breach of EU law, where:

  1. The EU law rule infringed is intended to confer rights on individuals;
  2. The breach is sufficiently serious; and
  3. There is a direct causal link between the breach and the damage suffered.

They are:

  • Limited and subject to stringent conditions;
  • Usually difficult and expensive to pursue; and
  • Not available for all types of breach (e.g. where only national law is infringed).

This judgment underscores that the theoretical availability of Francovich damages is not enough, on its own, to render damages an “adequate remedy” for interim relief purposes in complex regulatory cases.

7.5 Okunade vs Zuckerfabrik

  • Okunade test (Irish law):
    • Step 1: Is there an arguable case / serious issue to be tried?
    • Step 2: Where does the least risk of injustice lie, considering:
      • Presumption of validity and public interest in enforcement;
      • Harm to the applicant if relief is refused but they later win;
      • Harm to the public interest if relief is granted but the measure is later upheld;
      • Adequacy of damages; and
      • Where appropriate, relative strength of the parties’ cases.
  • Zuckerfabrik test (CJEU interim measures):
    • Serious doubts as to the validity of the EU measure.
    • Urgency: risk of serious and irreparable damage if interim relief is not granted.
    • Balance of interests: including the interests of the Union legal order and uniform application of EU law.

Mulcahy J concludes that, for challenges to DPC decisions, Okunade governs, though in this case the result would have been the same even under Zuckerfabrik.

8. Impact and Implications

8.1 For Data Protection Enforcement in Ireland and the EU

  • The judgment confirms that:
    • National courts (not the CJEU) are the primary fora for reviewing decisions of supervisory authorities under Article 60.
    • Irish courts will use the Okunade framework for interim relief in GDPR enforcement appeals.
  • Other Member States’ courts, when faced with similar stay applications, are likely to:
    • Apply their own domestic interim relief standards, not Zuckerfabrik, unless their national law or a particular EU instrument explicitly says otherwise; but
    • Ensure those standards comply with equivalence and effectiveness.
  • This reinforces the decentralised judicial control element of the GDPR: pan‑European consistency in regulatory action via Article 60, but national diversity in procedural remedies.

8.2 For Tech Companies and Large Platforms

  • Controllers facing wide‑ranging (and expensive) GDPR corrective measures may:
    • Rely on this judgment when arguing for stays if they can demonstrate:
      • substantial, effectively unquantifiable financial harm; and
      • uncertainty or limited duration regarding the risk to fundamental rights pending appeal.
  • However, the judgment should not be misread as lowering the bar for stays per se:
    • The Court placed great emphasis on the specific facts:
      • Long inquiry timeline and lack of urgency measures by the DPC;
      • Limited temporal scope of the infringement finding;
      • Project Clover and user notification steps;
      • Ability to hear the appeal relatively quickly.
    • In a case of acute risk (e.g. immediate misuse of sensitive data, ongoing serious harms, or evidence of state access), the outcome might differ.

8.3 For the DPC and Other Supervisory Authorities

  • Supervisory authorities wishing to defend urgent enforcement measures must:
    • Be prepared to justify the degree of urgency and the nature of the risk to rights if a stay is granted.
    • Avoid attempting to introduce new substantive grounds in court that were not part of the original decision.
  • Authorities may consider:
    • Using Article 66 GDPR in truly urgent cases to adopt short-term provisional measures that may be harder to suspend; and
    • Being explicit in decisions about whether breaches are ongoing beyond any specified temporal scope of inquiry.

8.4 For Litigation Strategy and Evidence

  • The judgment underlines the importance of:
    • Robust, detailed evidence on the scale and nature of harm claimed by the applicant seeking a stay;
    • Clear delineation between evidence relevant to the merits and evidence relevant to the interim balance of convenience;
    • Being cautious about introducing new arguments at the stay stage that were not in the original decision.

8.5 For Users and Fundamental Rights

  • The Court recognises that:
    • EEA users’ fundamental rights are engaged and carry great weight; and
    • Interim measures cannot be considered in a vacuum: how long the risk persists and how serious it is in practice are central questions.
  • The user notification condition imposed by the Court is of particular importance:
    • It enhances transparency for users, allowing them to decide whether to continue using TikTok pending the outcome of the appeal.
    • It partially mitigates the interference with their rights by at least ensuring they are informed that the DPC considers TikTok in breach and that TikTok disputes this.

9. Conclusion

This judgment in TikTok v DPC is a significant addition to Irish and European data protection jurisprudence, chiefly for three reasons:

  1. It clarifies the remedial framework for GDPR enforcement decisions:
    National supervisory decisions under the GDPR’s one-stop-shop remain national measures. Challenges to them, including applications for stays, are governed by national procedural law (Okunade in Ireland), not by the CJEU’s Zuckerfabrik interim relief test. The GDPR’s own text, particularly Recital 143 and Article 78, is determinative on this point.
  2. It refines the understanding of “irreparable” pecuniary harm in regulatory appeals:
    In complex, dynamic markets like global social media platforms, massive and unquantifiable financial losses can be irreparable for interim relief purposes, especially where:
    • Francovich damages are uncertain and difficult to obtain; and
    • Any attempt at damages quantification would be speculative and incomplete.
    The Court’s reasoning aligns with the CJEU’s approach in Amazon but applies it within a national, GDPR‑enforcement context.
  3. It demonstrates a nuanced balancing between fundamental rights and economic realities:
    The Court does not diminish the importance of data protection rights; it acknowledges their centrality under the Charter and the GDPR. But it also recognises that, where the risk to rights during a short stay is limited and uncertain, and the economic consequences of immediate enforcement are drastic and largely irrecoverable, a carefully conditioned stay may represent the least unjust outcome.

In practical terms, the judgment:

  • Allows TikTok to avoid immediate implementation of highly disruptive technical and organisational measures pending its appeal, while;
  • Requiring it to expedite the appeal and to transparently notify users of the DPC’s findings and of the ongoing legal challenge.

In the broader legal landscape, TikTok v DPC stands as an important precedent:

  • Re-affirming national procedural autonomy in the enforcement of the GDPR;
  • Signalling that courts will scrutinise both the urgency and the realistic magnitude of risks to fundamental rights when deciding interim relief; and
  • Providing a detailed roadmap – for regulators, platforms, and litigants alike – on how to structure evidence and argument in stay applications involving complex, cross-border data flows and EU‑derived regulatory obligations.

Case Details

Comments