On 2 May 2025 the Irish data protection authority (the DPC) announced it had fined TikTok a massive €530 million for breaches of the (EU) GDPR. Whilst the social media giants of the world tend to be the focus of much data protection enforcement action, this is enforcement action under the (EU) GDPR specifically relating to China.
There are lessons all UK organisations can take away from this decision in respect of international transfers to any non-adequate country i.e. a country that the EU (or in the case of the UK GDPR, the UK) has deemed does not provide an adequate level of protection for individuals’ personal data. The inquiry which led to this fine focused on two main areas:
- the lawfulness of TikTok’s transfers of personal data of EEA based users to China; and
- whether the information TikTok provided to EEA based users in relation to these international transfers was sufficient to comply with the GDPR transparency requirements.
What are the key lessons?
1. Remote access = a transfer
An international transfer can occur when personal data is merely accessed by a separate controller or processor in a third country. It does not matter if the data is not stored there.
2. You must ensure equivalent protection
Organisations must be able to verify, guarantee and demonstrate that the personal data of EEA based users is afforded protection which is essentially equivalent to that guaranteed within the EU when transferred to a separate controller or processor in a non-adequate third country. In the UK the requirement is a little different; the ICO guidance states that organisations must be satisfied that the relevant protections in the UK GDPR are not undermined for data subjects whose personal data is transferred. It is also worth noting that the DUA Bill proposes a new ‘data protection test’ which the Secretary of State will need to consider in order to decide whether a third country is adequate. This test is whether or not the standard of protection provided to data subjects in the recipient country in question is materially lower than the standard under UK law.
3. SCCs are not a silver bullet
The EU SCCs (or under the UK GDPR the UK addendum plus the EU SCCs or the UK IDTA) do not necessarily, on their own, provide sufficient protection for personal data.
4. Risk assessments are mandatory, and detailed.
In assessing whether personal data is adequately protected in the destination country, organisations must undertake a risk assessment which includes consideration of the following in relation to the destination country in the context of the intended transfer: local laws and practices relating to the protection of personal data, public authority access to personal data, regulatory oversight, commitment in international treaties and data subject redress. If the outcome of such an assessment is that personal data will not be afforded the required level of protection then either the organisation must put in place protections (i.e. supplementary measures) before making the transfer so that it does provide the right level of protection or not make the transfer at all. In announcing this fine the Irish DPC Deputy Commissioner commented: “As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”
5. Reviews must be ongoing.
Such assessments are not a one time thing. If changes occur in the destination country the assessment should be reviewed.
6. Transparency with users is essential.
The GDPR (and the UK GDPR) requires data controllers to provide data subjects with information on the controller’s transfers of personal data to a third country. This must include specifically naming the third countries to which personal data will be transferred (just saying personal data may be transferred outside the EEA or UK is not sufficient) and explaining the nature of the processing operations that constitute the transfer (in this case remote access in China to personal data stored outside China).
Update: A High Court judge in Ireland has granted TikTok a stay on the decision by the Irish Data Protection Commission (DPC) that TikTok must suspend data transfers to China by 29th November 2025. The stay will be in place until early October 2025 when the court will hear an application by TikTok seeking a longer stay until the court hears its full challenge to the DPC decision.
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
