On February 5, 2025, German law firm Spirit Legal filed four cross-border class actions in Germany against TikTok (Chinese parent company ByteDance) and X (US-based, formerly Twitter). Spirit Legal is representing the Dutch Foundation for Market Information Research (Stichting Onderzoek Marktinformatie, SOMI) in the lawsuits.
The lawsuits allege multiple violations of German and European Union laws, and are early tests of two newer laws, as well as claiming GDPR violations.
We look at what the alleged violations are, which laws are referenced, the damages and actions sought, and what these lawsuits say about the current social media landscape and regulation of rapidly evolving technology.
Which laws are TikTok and X alleged to have violated?
The lawsuits allege that TikTok and X’s actions have violated the Digital Services Act (DSA), the AI Act, and the General Data Protection Regulation (GDPR).
The GDPR has been in effect since 2018, however, the DSA only came into effect for all relevant platforms on February 17, 2024. This is just shy of a year before these lawsuits were filed, though the DSA’s rules have applied to designated Very Large Online Platforms (VLOP) or Very Large Online Search Engines (VLOS) since August 2023.
VLOPs and VLOSes are categorized as platforms with at least 45 million monthly active users in the EU.
The first requirements of the AI Act came into effect August 1, 2024, with the most recent requirements — regarding prohibited AI practices and AI literacy — coming into effect only three days before these lawsuits were filed, on February 2, 2025.
These lawsuits will be early tests of compliance requirements of the DSA and AI Act, and could set precedent for future complaints against large tech platforms and their activities.
EU data protection authorities already have a well established history of fining large tech platforms — including TikTok and X — with GDPR violations, amounting to billions of Euros.
For example, TikTok has been fined by the Dutch DPA for violating children’s privacy, and X (as Twitter) was charged by the FTC in the United States and ordered to pay USD 150 million for deceptively using account security details (phone numbers and email addresses) to sell targeted ads.
What violations do the lawsuits claim TikTok and X committed?
The lawsuits allege separate sets of violations by TikTok and X respectively, as well as common alleged violations by the companies.
Alleged violations by both TikTok and X
The lawsuits contend that both TikTok and X facilitate the spread of disinformation, deepfakes, and misleading content. (Deepfakes are images, videos, or audio generated or edited using AI tools, and may depict real or non-existent people.)
It’s noted that these activities have particularly occurred during election periods, and can manipulate public opinion. Additionally, this political content is often internationally financed, covertly sponsored, and disseminated without clear labeling. These activities have been called election interference in the US, UK, and Romania, among other countries.
The lawsuits claim these activities are serious violations of the DSA, AI Act, and GDPR in Germany and the EU.
Alleged violations by TikTok
With respect to TikTok, the lawsuits contend that TikTok manipulates young users and bolsters its recommendation algorithms using sensitive personal data. Multiple class action lawsuits have been filed against TikTok before for various misuses of children’s data, including at the state and federal levels in the US and in the EU.
For example, in 2021 TikTok agreed to pay USD 92 million to settle dozens of lawsuits alleging that the company harvested users’ personal data and shared it with third parties, some of which were based in China. The data in question included biometric data that’s categorized as sensitive, as well as children’s data — which can’t be collected or processed without prior parental consent — without users’ knowledge or consent.
In the same year, a claim was filed in the UK for children in the UK and EU. The allegations were that the app collects and processes children’s data without the knowledge of children or their parents, or the required consent. The data in question included phone numbers, precise location, biometric data, and videos with children in them.
The lawsuits also allege that TikTok spies on users illegally via its in-app browser, and uses addictive design strategies that maximize user engagement by exploiting behavioral psychology. TikTok’s recommendation algorithms are personalized using sensitive personal data, and are alleged to endanger children’s and teens’ mental health.
The exploitative design system allegations fall under the AI Act’s newly enacted prohibitions on manipulation, deception, and exploitation in AI systems.
Alleged violations by X
As for X, the lawsuits assert that X has repeatedly failed to report significant data breaches to either authorities or affected users, who also were never compensated as victims of the breaches.
X is also alleged to use sensitive user data without any legal basis to power its recommendation algorithms. The lawsuit claims that the depth of personalization the platform delivers undermines free formation of opinions and contributes to increasing polarization in society.
While in the US prior consent is not required for many kinds of processing of personal data, under many of the state-level data privacy laws in effect, processing of sensitive or children’s data are two instances when prior consent is required.
Additionally, many other international privacy laws, like the GDPR, are extraterritorial, so X is required to comply with laws in jurisdictions like the EU where prior consent for data processing is required.
What damages and actions are the lawsuits seeking?
The lawsuits are seeking to have unlawful profiling banned on the platforms, including prohibiting processing of sensitive data for personalized content and advertising. Examples of such data include individuals’ health, political views, religious affiliation, or sexual orientation.
The lawsuit claims that these kinds of microtargeting violates users’ rights to informational self-determination and pose risks to democracy, security, and health.
Also in the list of demands are more effective measures on the platforms against disinformation and foreign interference, especially to protect the integrity of democratic elections.
As the suits allege significant violations involving children and their data, there are also demands for stronger protections for children and teens, including from harmful content like dangerous trendy “challenges”. TikTok has already been sued over deaths of teens from such challenges in the past.
The suits are seeking compensation from between EUR 500 to 2,000 per user from TikTok, which is estimated to have nearly 275 million users in the EU, and between EUR 750 to 1,000 per user from X, which is estimated to have nearly 106 million users in the EU. Globally, one in four TikTok users is under age 20.
If the lawsuits are successful, these penalties could total billions of Euros. To date, the largest GDPR-related fine has been EUR 1.2 billion, levied against Meta, parent company of Facebook, Instagram, and WhatsApp. As noted, these lawsuits are early tests of enforcement for the DSA and AI Act. The lawsuits also seek an injunction against the companies’ alleged illegal practices.
Affected users will be able to register for the class action lawsuits directly via SOMI’s platforms and app, or via the class action register of the Federal Office of Justice in Bonn.
The ongoing global challenge to protect users’ personal data
There are billions of users on social platforms worldwide — many of them children — as well as an increasing number of laws to protect their privacy, personal data, security, and mental health.
These influential platforms face increasing demands to meet regulatory requirements or face lawsuits, penalties from data protection authorities, and the erosion of trust from users, advertisers, and others.
However, these companies’ operations generate many billions in profits every year, and they are very influential in society, so regulatory requirements can be at odds with business and other interests.
As pressures (and fines) mount from governments and lawsuits, tech companies are forced to look closely at their operations, their audiences, and their legal responsibilities. They have access to more data — and more sensitive data — than most companies ever have, which brings with it huge opportunities for innovation and financial success, as well as unprecedented global-scale risks from misuse.
Usercentrics helps companies navigate data privacy requirements and achieving data-driven business growth. Achieve and maintain privacy compliance with relevant international laws. Provide users with transparent, legally required information about your data processing operations and clear consent options. Demonstrate your respect for data privacy, avoid legal penalties, build trust with your customers, and get the data you need to grow your business.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.