Post by : Anis Farhan

Photo: Reuters

Austrian privacy watchdog Noyb (None of Your Business) has dramatically escalated its legal campaign against TikTok, lodging new GDPR complaints in Greece. The move forms part of a broader pressure strategy targeting several Chinese-owned platforms over opaque handling of personal data within the European Union. Unlike earlier actions, these filings specifically challenge the effectiveness of TikTok’s data access mechanisms and transparency.

Though TikTok and its peers previously faced scrutiny, including a row over whether EU data was transferred to China or merely accessed remotely from there, Noyb now focuses on how difficult it is for users to obtain their own data. Sources report that TikTok only granted partial access in “unstructured” formats that are unreadable or fragmented, effectively denying Europeans the fundamental right to data portability under GDPR. Noyb charges that this breach continues despite TikTok’s claims of compliance and a prior €530 million fine levied earlier this year by Irish regulators.

This fresh flurry of complaints is significant because it broadens the battleground from Ireland and its central role in EU tech regulation to countries across the bloc. Notably, Noyb has filed similar cases against TikTok in Greece, as well as complaints against AliExpress (Belgium) and WeChat (Netherlands), signaling a coordinated campaign across jurisdictions. The move could result in additional fines—GDPR allows for penalties up to 4% of a company’s global turnover for the most serious violations.

The complaints center on the data subject access request (DSAR) process. Under GDPR, European citizens have the right to request and receive their full personal data in a portable format. TikTok's failure to provide suitably formatted information effectively undermines this right, Noyb asserts, suggesting that the app collects extensive user data while restricting its release at will. The group maintains that unless this mismatch is addressed, Europeans lack effective means to audit how their data is used—impinging on transparency, accountability, and individual autonomy.

Noyb's data protection lawyer, Kleanthi Sardeli, criticized these platforms for “aggressively collecting as much data … but vehemently refusing to give full access as required by EU law.” Sardeli’s legal team has previously driven investigations that led to significant regulatory fines for major players like Apple and Meta, and the present wave of cases continues that agenda.

Earlier this year, in April, TikTok admitted that some EU user data had been temporarily stored on Chinese servers—a reversal of its previous stance that no such data transfers occurred. That admission triggered the massive €530 million fine by Ireland’s Data Protection Commission (DPC)—the bloc’s lead regulator for TikTok—cited for violating data security and remote access rules upheld by GDPR. The fine also included a mandate for TikTok to alter its data handling under its “Project Clover” initiative, which aims to localize EU user data in European data centers.

TikTok has since deleted the mislocated data and appealed the ruling, stating it is striving to comply by integrating legally approved contractual safeguards. The company says it discovered the breach proactively during Project Clover and reported it in the interest of transparency. Still, the DPC has announced a fresh inquiry centering on whether the data was lawfully transferred or retained in China, and whether GDPR protocols were followed. This new DSAR-based complaint compounds the existing investigation, creating layered regulatory risk for the company.

Beyond enforcement actions, TikTok is culturally squeezed by shifting public vibes in Europe. Governments worrying over Chinese influence now consider greater platform oversight an urgent priority. Some EU nations, policymakers, and even parents’ groups express unease not just about data storage, but about content controls, mental health effects, and propaganda potential. Gaining usable insight into personal data through DSARs can be a vital tool for independent research and public accountability—especially when standard avenues are blocked by unclear or incomplete disclosures.

Earlier cases show that this kind of pushback is not just academic. Noyb’s persistent complaints previously won fines and forced changes at major tech firms. Should these new DSAR-focused cases advance, similar outcomes may force TikTok to refine its data accessibility tools, align actual practices with GDPR obligations, and ensure the data is fully machine-readable and structured. These changes, while feasible, represent a substantial compliance lift that would elevate standards across all digital platforms, not just those targeted.

For users, the implications are powerful: a successful complaint could improve TikTok's user controls, make transparency simpler, and create precedents that ripple through other apps. TikTok’s critics hope it also signals a shift from passive data collection to enforceable rights. For the regulator, it maps a transition from fine-based enforcement to operational compliance—prioritizing actual user experience over abstract filings.

TikTok’s parent firm, ByteDance, may also be watching carefully. Multiple EU-level revelations this year already damaged trust in the company's data ethics. A second round of complaints could invite punitive cross-border coordination among DPAs, and renew debates around banning or curbing TikTok in other non-EU jurisdictions. Meanwhile, some US states and federal bodies are continuing zealous oversight over TikTok regarding children’s data, national security, and content moderation—reinforcing the sense that scrutiny is no longer regionally confined.

In the short term, TikTok is expected to fully cooperate with Noyb and submit a formal technical and legal defense. But failure to remedy DSAR defects within designated timeframes could trigger fines and reputational erosion, especially among European users who often cite inability to access their own data as a critical grievance.

In effect, TikTok now faces a reckoning not just for where data is stored, but how it enforces transparent access. If Noyb’s strategy prevails, the platform—and potentially others—may be forced to prioritize GDPR compliance in meaningful user experiences rather than rely on corporate tokenism. The coming months will reveal if Europe's regulatory tide turns from heavy-handed fines to sustained structural accountability in the age of data.