International data transfers: implications of the €530m fine on TikTok

The April 2025 decision of the Irish Data Protection Commission (“DPC”) against TikTok (“Decision”) is one of the most important post‑Schrems II enforcement actions to date. TikTok was fined €485 million for unlawful data transfers to China and €45 million for transparency failures (namely, the lack of specific information in its privacy notice about such transfers), and was ordered to suspend the relevant data transfers to China¹ (the Decision is currently subject to appeal and, following an order of the Irish High Court on 14 November 2025, its implementation is on hold.²)

It is worth taking a deeper dive into the implications of this Decision, as it goes to the heart of how organisations should approach transfer risk/impact assessments (“TRAs”) and supplementary measures when relying on the EU Standard Contractual Clauses (“SCCs”) or other adequacy safeguards. In particular, it illustrates how a supervisory authority expects those requirements to be implemented in practice following the CJEU’s Schrems II judgment, which requires organisations transferring personal data to ensure a level of protection essentially equivalent to that guaranteed within the EU. Importantly, while TikTok actually carried out TRAs and implemented certain supplementary measures, that alone was not sufficient to ensure compliance. Rather, the Decision indicates that TRAs and related supplementary measures must be substantively robust as to ensure adequacy.

1. What did the DPC decide about TikTok’s transfers?

a) Background

TikTok stored EEA user data on servers in Singapore, the US and Malaysia, but allowed personnel from ByteDance group entities in China to access that data remotely to perform core functions (such as content delivery, security, research and development, analytics, online payments, customer and technical support, and content moderation), which constitutes a “transfer” of personal data to China.³

TikTok relied on the SCCs, together with supplementary measures,⁴ and had prepared TRAs for those data transfers to China with a leading Chinese law firm.⁵ Those TRAs accepted that Chinese law and practice diverge from EU standards, including the European Essential Guarantees, particularly in relation to surveillance and national security powers (including the Anti‑Terrorism Law, Counter‑Espionage Law, Cybersecurity Law and National Intelligence Law).⁶

In its TRAs and its submissions in the inquiry, TikTok’s central legal argument for justifying the transfer was based on the territoriality principle in Chinese law: TikTok argued that Chinese authorities could not lawfully compel entities or individuals in China to provide data that was accessed only remotely and not stored domestically in China. On that basis, TikTok claimed that the relevant provisions of Chinese law could not undermine the effectiveness of the contractual safeguards contained in the SCCs in respect of such data.⁷

b) Findings

The DPC rejected TikTok’s argument. It held that TikTok failed to address the possibility of Chinese authorities obtaining access to personal data that was temporarily processed in China by way of remote access, even though the data was stored on servers located outside of China.⁸ Accordingly, TikTok’s TRAs were found not to establish that the territoriality principle would prevent such access while the personal data was being routinely “transferred” to China.⁹

The insufficient consideration of the territoriality principle resulted in the following sequential failures:

• TikTok failed to adequately assess the law and practices in China in the context of the data transfers, on the basis that the territoriality principle excluded the application of the relevant problematic laws to EEA user data without examining those laws in sufficient detail.¹⁰
• As a consequence, TikTok failed to assess the level of protection afforded to the personal data of EEA users subject to transfers to the China group entities using SCCs, because, in order to do so, it was necessary to adequately assess the law and practices in China in the context of the data transfers.¹¹
• In turn, TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users subject to the data transfers was afforded a level of protection essentially equivalent to that guaranteed within the EU, because, in order to do so, it was necessary to consider and address all relevant aspects of the law and practices in China that could have a bearing on the level of protection afforded to the specific Data Transfers.¹²

In addition, the DPC held that:

• The supplementary measures implemented did not address the risk of Chinese authorities accessing the personal data. While TikTok implemented a number of measures, including encryption, these were general security measures intended to prevent unauthorised access and could not prevent access enabled by the relevant problematic laws.¹³
• TikTok could not rely on the derogations under Article 49 of the GDPR (such as contractual necessity and compelling legitimate interests), as those derogations apply only to occasional or non‑repetitive transfers,¹⁴ whereas the transfers in question were systematic, repetitive and continuous.¹⁵

As a result, the DPC concluded that TikTok had unlawfully transferred EEA user data to China in breach of Article 46(1) of the GDPR,¹⁶

2. Factors affecting the level of the fine

The DPC considered the following factors in accordance with Article 83(2) of the GDPR, which sets out the matters to which due regard must be had when deciding whether to impose a fine and, if so, its amount:¹⁷

• Nature, gravity and duration of the infringement: the transfers were systematic, repetitive and continuous, supported core platform functions, involved a very broad range of data,¹⁸ continued over a number of years,¹⁹ and affected a very large number of EEA users; the loss of control and increased risks for those users were treated as non‑material damage and contributed to the DPC’s finding that the gravity of the infringement was high.²⁰
• Negligent character: the infringement was assessed as negligent to a high degree, notwithstanding TikTok’s carrying out of TRAs.²¹
• Degree of responsibility: given the nature, purposes and scale of TikTok’s processing, it ought to have implemented appropriate measures, and was considered to bear a high degree of responsibility for its failure to do so.²²
• Categories of personal data: the transfers involved data, the dissemination of which is likely to cause immediate damage or distress to the data subjects, such as data about users’ daily lives and interests, location data, data on private communications, and financial data; user‑generated content and direct message content were considered capable of revealing special category data.²³
• Other factors: the adverse financial consequences for TikTok resulting from the orders in this Decision were taken into account as a mitigating factor of moderate weight.²⁴

3. Key takeaways from the Decision

The Decision provides several important lessons for organisations relying on SCCs for international transfers to China and for international transfers more generally.

a) TRAs must be substantively robust

Merely preparing a TRA is not sufficient. While TikTok did prepare the TRAs with a Chinese law firm and accepted that Chinese law and practice diverge from EU standards, including the European Essential Guarantees, the DPC found that the TRAs did not adequately assess the relevant Chinese laws, as TikTok’s reliance on the territoriality principle resulted in a failure to properly engage with those laws in the context of the actual transfers.

For organisations, this means that TRAs must go beyond high‑level descriptions of local law, include detailed analysis (including any shortcomings measured against the European Essential Guarantees), and form a defensible basis for concluding whether an essentially equivalent level of protection can be ensured in practice.

b) Supplementary measures must meaningfully address risks

Supplementary measures must be capable of addressing specific risks, such as access by public authorities under the destination country’s laws. TikTok implemented a number of measures, including “Project Clover”, its €12 billion, industry‑leading data security initiative;²⁵ nevertheless, the DPC considered that the measures implemented were general security measures designed to prevent unauthorised access and did not address the risk of Chinese authorities accessing the personal data.

For organisations, this means that general security measures (for example, encryption and access controls) will not be sufficient if they do not prevent or meaningfully reduce the risk of access supported by problematic laws. Accordingly, supplementary measures must be designed with a clear understanding of the relevant risks and be capable, in practice, of mitigating those risks in relation to the specific transfers.

c) Article 83(2) factors are a useful reference point for risk management

The factors considered under Article 83(2) of the GDPR also provide a useful framework for organisations’ own risk management. In TikTok’s case, the DPC assessed the fine by reference to those factors, including the nature, scope and purpose of the transfers, as well as the number of data subjects and the categories of personal data.

When designing and reviewing international transfers, it is reasonable for organisations to use these same factors (as applicable) as a lens for a granular approach to risk. In particular, transfers that are large‑scale, long‑term, central to core services, involve sensitive or high‑impact data, or affect large numbers of individuals should be subject to enhanced scrutiny and stronger supplementary measures than lower‑risk transfers.

4. Practical steps – and how CtrlTransfer helps

In light of the Decision, organisations should carry out or, where necessary, revisit TRAs for transfers to non‑adequate countries and refresh them to include a detailed and transfer‑specific analysis of local law. Organisations should also review and, where necessary, redesign supplementary measures so that they meaningfully address government access risks (for example, through strong encryption with key separation, pseudonymisation and data minimisation), and adopt a risk‑based approach to international transfers that reflects the Article 83(2) factors.

CtrlTransfer is designed to make these steps practical and consistent across an organisation’s global data flows by:

• providing detailed, jurisdiction‑specific analysis of data protection and government access laws, mapped and scored against the European Essential Guarantees, together with TRA templates that prompt users to apply that analysis to the specific transfer. This helps to ensure that TRAs address the factors that regulators care most about;
• supporting the design of meaningful supplementary measures by identifying where and how local law falls short and highlighting possible supplementary measures, so that measures are targeted at government access risks rather than generic security controls; and
• enabling a granular approach to transfer risk by providing an objective country risk score that can be combined with transfer‑specific factors, so that higher‑risk transfers are automatically routed through more detailed assessment and stronger controls, while lower‑risk transfers are handled proportionately within a consistent, auditable framework.

For further information about CtrlTransfer, please click here.

_{1 See DPC, ‘Inquiry into TikTok Technology Limited - April 2025’.
2 See TikTok, ‘Update on Irish GDPR decision about TikTok’s "transfers of EEA User Data to China"’.
3 Paras 162 and 227 of the Decision.
4 Para 426 of the Decision.
5 Para 279 of the Decision.
6 Paras 302, 303 and 308 of the Decision.
7 Paras 349 and 382 to 383 of the Decision; see also “Finding 1: TikTok infringed Article 46(1) GDPR” in the summary of the decision (“Summary”).
8 While this Decision was made on the assumption that the personal data was not stored in China, at a later stage of the procedure, TikTok informed the DPC of an issue discovered in February 2025, namely that limited personal data had in fact been stored on servers in China, contrary to the evidence TikTok had submitted during the procedure. The DPC has stated that it intends to publish the full decision taking this fact into account (see DPC, ‘Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China’).
9 Paras 380 and 384 of the Decision.
10 Para 420 of the Decision.
11 Para 417 of the Decision.
12 Para 419 of the Decision.
13 Para 496 of the Decision.
14 Paras 561 and 566 of the Decision.
15 Para 568 of the Decision.
16 See “Finding 1: TikTok infringed Article 46(1) GDPR” in the Summary.
17 Para 271 of the Decision.
18 Para 725 of the Decision.
19 Para 735 of the Decision.
20 Paras 729, 730 and 732 of the Decision.
21 Para 744 of the Decision.
22 Para 757 of the Decision.
23 Paras 762 and 763 of the Decision.
24 Para 768 of the Decision.
25 See TikTok, ‘Our Response to the Irish Data Protection Commission Decision on Data Transfers’.}