Irish Data Protection Commission announces TikTok fine for non-compliance over data transfers to China
Friday, 09 May 2025
The Decision
On 2 May 2025, the Irish Data Protection Commission (“DPC”), as lead supervisory authority, announced its decision into an inquiry into TikTok concerning (i) the lawfulness of transfers of user personal data to China; and (ii) whether Tiktok had met its transparency obligations to data subjects under the GDPR in respect of such transfers (the “Decision”). The DPC found that TikTok has infringed the GDPR, suspended the transfers and imposed administrative fines of €530 million, along with an order requiring TikTok to bring its practices into compliance within a period of six months.
In respect of (i), the Decision found that TikTok’s transfers to China infringed Article 46(1) of the GDPR, as TikTok had failed to ‘verify, guarantee and demonstrate’ that the supplementary measures and the Standard Contractual Clauses (“SCCs”) used were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU. We have expanded on these requirements below.
In respect of (ii) Article 13(1)(f) of the GDPR requires data controllers to provide data subjects with information on transfers of personal data to third countries. The DPC found that TikTok’s privacy policy was inadequate in two key respects for these purposes: (a) It did not name the third countries, including China, to which personal data was transferred and (b) it did not explain the nature of the processing operations that constituted the transfer (i.e. that the processing included remote access to personal data stored in Singapore and the U.S. by personnel based in China).
How does the Decision relate to my business?
The Decision does not prohibit data transfers to China and it is also important to note that TikTok disagrees with the Decision and intends to fully appeal it. However, as the Decision stands, it would be prudent for organisations that transfer personal data to China to review their processes to ensure they have undertaken necessary assessments to safeguard the data as required by law. Where any organisation (an exporter) is “transferring” personal data outside the EEA to a third country (an importer), then either an EU Commission adequacy decision or appropriate safeguards under Article 46 of the GDPR must be applied.
A “transfer” for this purpose, includes both direct access and remote access (to servers within the EEA) from outside the EEA. The most common situations where we see non-EEA transfers arising for clients are where contractors are engaged outside the EEA to provide IT or other remote services, where there are intra-group transfers to non-EEA entities within a client group or in the course of a proposed transaction, where it is necessary to share personal data with acquirers/investors based outside the EEA. It is also necessary for controllers to carry out adequate due diligence on their processors/sub-processors which includes raising sufficient queries to assess any “onward” transfers to ensure that they are carried out in a compliant manner.
The current list of adequacy decisions is available on the EU Commission website. To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay. The European Data Protection Board (“EDPB”) has published extensive step by step guidance as to how to validly effect non-EEA transfers in compliance with the GDPR where no adequacy decision applies (the “Guidance”).
The most commonly used appropriate safeguards are the EU Commission approved SCCs. EU Commission Binding Corporate Rules (“BCRs”) may also apply for larger organisations where these have been successfully applied for, as well as ad hoc contractual arrangements approved by supervisory authorities, which include administrative arrangements between public bodies. The key purpose of the SCCs is to bind the importer to apply equivalent standards to the GDPR. The terms of the SCCs cannot be varied, but may be supplemented. They can form part of a larger contract or can be stand-alone.
Where the SCCs are used, a transfer impact assessment (“TIA”) should also be carried out in a format which aligns with and satisfies the requirements of the Guidance. The purpose of the TIA is to assess the local laws of the importer for ‘equivalence’ with the GDPR. Supplementary (organisational, contractual and/or technical) measures may also be required to be put in place, depending on the outcome of the TIA. Appropriate technical and organisational security measures are, in any event, required to be applied under the GDPR, irrespective of whether there are international transfers involved or not. The DPC has been clear in the Decision that the purpose of the SCCs, TIA and supplementary measures is “to ensure that the high level of protection provided to personal data within the European Union continues where personal data is transferred to a third country”.
Organisations also need to ensure that they have satisfied their transparency obligations to data subjects (whether employees or members of the public availing of their services) through appropriate data privacy policies and notices which clearly articulate where the personal data is being sent/accessed and what measures are in place to protect the data.
Does any de minimis apply for low risk/once off transfers of personal data?
Minimal derogations apply under Article 49 of the GDPR, which can be relied upon in limited circumstances and subject to applicable criteria. The EDPB has also published guidance on this area which should be referred to in assessing the suitability of any proposed derogations.
Each transfer or set of transfers needs to be assessed on a case by case basis using a risk based approach. Factors such there being a minimal amount of personal data being transferred, the transfer being one off or the categories of personal data being very low risk, will also impact whether a positive conclusion can be reached in any TIA and proposed usage of the SCCs to validate the transfers.
High risk transfers (e.g. involving significant volumes of special category/health data), on the other hand, will be much more challenging to effect safely and will also require a separate Data Protection Impact Assessment to be carried out for the purposes of Article 35 of the GDPR.
The EU Commission has recently announced that it is considering simplifying GDPR requirements for smaller businesses, particularly those with fewer than 500 employees, to reduce administrative burdens and improve competitiveness. It is understood that these changes may be limited to overall record keeping requirements and there is currently no indication that the rules on non-EEA transfers will be reduced.
What should I do next?
We would suggest that all organisations review and assess their non-EEA transfers in light of the Decision to ensure that they have taken the appropriate measures to comply with these requirements. It is important to note that TikTok had SCCs in place but the DPC still took issue with the level of protection of personal data provided by Chinese law and practices. Consequently, the Decision highlights the importance of identifying whether, in addition to SCCs, supplementary measures are needed to safeguard transferring personal data where risk to that data is identified. The Decision also underlies the importance of having clear and easily understandable privacy policies which set out the position on non-EEA transfers.
If this affects your business, then please let us know and we can assist you with assessing your transfers, carrying out TIAs, implementing the SCCs and other appropriate safeguards as required, as well as assisting you in raising the right questions with any processors/sub-processors you engage on your behalf to process personal data outside the EEA and in updating your privacy policies in this context.
For further information please contact Partners Zelda Deasy, Seán O'Donnell, Jane O’Grady or any member of the Byrne Wallace Shields LLP Privacy and Data Protection team.