TikTok China transfers are unlawful
The state of international data transfers in 2025
In May, the Irish Data Protection Commissioner (DPC) announced its decision regarding TikTok's transfer of its users' data from the EU to China.
It stated:
The decision...finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China and its transparency requirements. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.
For many years, transfers to the US were the main focus when it came to transfers of EU data to countries outside the bloc. This includes the famous EU data protection cases of Schrems and Schrems II, brought after the Snowden revelations which exposed extensive surveillance operations carried out by US and UK security and intelligence agencies.
Whilst some focus still remains on US data transfers, more attention is now being diverted to Chinese data transfers, and this TikTok decision is the start of it. There may also be issues with companies using DeepSeek's models; under the privacy policy for this Chinese AI model developer, it states that, to provide its services, DeepSeek processes data in China, which includes account data and prompts. Additionally, complaints have also been filed with EU data protection authorities against AliExpress, SHEIN, Temu, WeChat and Xiaomi.
Things are happening in the US too:
Back in February, the Department of Justice (DoJ) issued Executive Order 14117 titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." The Data Security Program implements this order and aims "to prevent China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security." This framework therefore imposes obligations on US companies to restrict the transfer of certain data to countries like China.
The banning of TikTok in the US is underpinned by the Protecting Americans from Foreign Adversary Controlled Applications Act, which was upheld by the US Supreme Court in January. Under this legislation, it is unlawful for a US entity "to distribute, maintain, or update (or enable the distribution, maintenance, or updating of) a foreign adversary controlled application." ByteDance and TikTok are specifically listed as such applications, and other companies that are "determined by the President to present a significant threat to the national security of the United States" could also be added.
The restrictions on Chinese data transfers and Chinese assets can be linked to the wider geopolitical AI race in which various countries are trying to develop their respective AI capabilities, and slow down others if possible. On the latter, the US has also placed sanctions on China regarding the supply of semiconductors.
The Irish DPC's latest TikTok decision may also be a sign of the changing relationship between Europe and China, as Politico notes:
The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China.
Friday’s ruling means the “screw is turning” on data flows to China, said Joe Jones, research director at the International Association of Privacy Professionals, which represents people working in the world of privacy globally.
“We’ve had over a decade of EU-U.K., EU-U.S. fights and sagas on [data flows]. This is the first time we’ve seen anything significant on any other country outside of that transatlantic triangle — and it’s China,” said Jones.
It also links to broader national security concerns regarding China, which I have explored previously in the context of TikTok.
What all these developments potentially lead towards is a world of data localisation - countries implementing laws that attempt to prevent or restrict outbound data flows and therefore constrain data processing within its borders. And a growing target of concern regarding these outbound data flows is China.
On TikTok China Transfers
The full text of the decision is yet to be published, and so for now we only have the summary the Irish DPC has published on its website. Accordingly, this post covers:
EU data protection law on international transfers of personal data (a quick overview)
Whether TikTok transfers EU user data to China
Where TikTok fell short in comply with EU data transfer rules according to the Irish DPC
EU data transfer rules
For this post, I will only provide a simplified explanation of the data transfer rules under the GDPR. A more detailed explanation will be included in the follow-up post on the TikTok fine to be published after the Irish DPC releases its full decision.
By default, data controllers and processors in the EU cannot transfer personal data outside of the EU. This is unless one of the exceptions under Chapter V of the GDPR applies. These exceptions include:
The European Commission has made an adequacy decision in favour of the country that the data are being transferred to, as per Article 45. At the time of writing, the Commission has made adequacy decisions for Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK, the US and Uruguay. You can read more about Commission adequacy decisions under the GDPR here.
The controller or processor implements appropriate safeguards for the data transfers, as per Article 46. Appropriate safeguards can be provided for by implementing standard data protection clauses (standard contractual clauses, or SCCs) adopted by the European Commission. The appropriate safeguards need to ensure that the protection of the transferred data is essentially equivalent that provided under EU law. Therefore, controllers and processors may need to implement supplementary measures as well as the SCCs to ensure this level of protection, depending on the risks of the transfer.
One of the derogations listed under Article 49 applies. However, these derogations apply to one-off transfers and not regular transfers of personal data that the likes of TikTok may execute in providing its services.
Does TikTok transfer EU user data to China?
Yes.
I previously looked at this question in my post on TikTok's national security threat:
Given the political ideology of the CCP (i.e., the Chinese Dream), and the relationship between the CCP and private enterprise in China (see the Huawei case described before in this post), it is probably difficult to assert that there is no Chinese access of the data processed by TikTok.
Unsurprisingly, TikTok has tried to argue that there is no such access as well as point out that it has data centres located outside of China and that none of its data is subject to Chinese law. See also this BBC article from July 2020.
In reality, there are several pieces of evidence suggesting Chinese access to data. In fact, the clearest piece of evidence comes from TikTok itself; an update made to its Privacy Policy for Europe announced on 2 November 2022 by Elaine Fox, its Head of Privacy for Europe. In that update, Fox stated the following:
We currently store European user data in the U.S. and Singapore. Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognised under the GDPR, we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data. Our security controls include system access controls, encryption and network security. (Emphasis added)
Another significant piece of evidence comes from June 2022. This is when BuzzFeed broke a story about leaked tapes from 80 internal TikTok meetings in which China-based employees from ByteDance talk about accessing data about TikTok users from the US:
The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive’s sworn testimony in an October 2021 Senate hearing that a “world-renowned, US-based security team” decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.
There is also this article from Forbes which reports on how ByteDance was planning to use TikTok "to monitor the personal location of some specific American citizens."
Samantha Hoffman, Senior Analyst at the Australian Strategy Policy Institute and an expert on Chinese State surveillance, did an interview with the MIT Technology Review in August 2020 in which she spoke on how China collects data around the world as part of its SIGNIT operations. When asked exactly how the CCP collects this data, she stated the following:
The data used by the Party comes in many forms, including text, images, video, and audio. Inside China, accessing this data is straightforward. To get access to global data, the Party uses state-owned enterprises, both Chinese and foreign tech firms, and partners such as university researchers. (Emphasis added)
For the Irish DPC investigation, TikTok had initially claimed that "it did not store EEA User Data on servers located in China". But later in the proceedings, the social media company revealed to the Irish DPC "an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China." TikTok had therefore provided inaccurate information to the Irish DPC.
Did TikTok comply with EU data transfer rules?
No.
The Irish DPC's findings were as follows:
TikTok had failed to provide appropriate safeguards for the data transfers to China. This means that the SCCs and the supplementary measures that the company had implemented were insufficient to ensure a level of protection of data transferred essentially equivalent to that in the EU. The Irish DPC had determined that the relevant Chinese laws identified by TikTok "materially diverge from EU standards." This includes China's Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law. The Irish DPC has therefore ordered TikTok to suspend the transfer of EU user data to China and has given the company 6 months to bring its processing into compliance with the GDPR.
TikTok's EEA Privacy Policy of October 2021 did not meet the requirements under the GDPR regarding the information on data transfers. The Policy did not name the third countries that data were transferred to and did not explain that data would be remotely accessed by TikTok personnel based in China. TikTok updated its Policy in December 2022 to meet these requirements, and consequently duration of the GDPR infringement only took place between 29 July 2020 to 1 December 2022.
Based on these findings, the Irish DPC is imposing on TikTok a total fine of €530 million, which consists of:
€485 million for the infringements related to the transfers to China
€45 million for the infringement related to the Privacy Policy
This decision could be appealed by TikTok. But for now, TikTok's transfer of EU user data to China remains unlawful under EU data protection law.