Let’s discuss TikTok’s GDPR transfers. Managing cross-border data flows under GDPR can be as treacherous as navigating iceberg-strewn waters — hidden dangers lurk beneath the surface. TikTok recently discovered how severe those dangers can be, facing a landmark €530 million fine by the Irish Data Protection Commission (DPC) for unlawful international data transfers to China. This enforcement action has become a significant GDPR precedent, extending Schrems II principles beyond the United States for the first time.

This article unpacks the details behind this groundbreaking enforcement, clarifies why TikTok’s international data practices triggered regulatory scrutiny, and highlights essential lessons for organisations transferring data outside the EU.

Background and legal framework

To fully grasp the TikTok GDPR transfers issue, it’s essential to understand GDPR Chapter V, which strictly regulates personal data transfers from the European Economic Area (EEA) to third countries that lack adequacy decisions. Under Article 46, data exporters must use appropriate safeguards, commonly Standard Contractual Clauses (SCCs), to ensure equivalent protection as provided in the EU.

The landmark Schrems II judgment, delivered by the Court of Justice of the European Union (CJEU), underscores the requirement for rigorous assessments of third-country laws. Organisations must ensure that no foreign laws undermine SCC protections, especially in terms of government surveillance, access to data, and judicial oversight. The relevant authorities further clarified that remote access to personal data from third countries constitutes an international transfer under GDPR, whether data physically moves or not.

The enforcement action against TikTok’s GDPR transfers

The Irish DPC investigated TikTok’s data transfer practices from September 2021 to May 2023. On 2 May 2025, the DPC fined TikTok €530 million and issued a suspension order prohibiting transfers of personal data from the EU to China. The case focused on employees in China remotely accessing EU user data stored in the EU, rather than physical data storage in China.

TikTok primarily relied on SCCs for transfers to China, but fell short by:

  • Not adequately assessing the impact of Chinese surveillance and access laws on transferred data.
  • Wrongly assuming Chinese laws didn’t apply because the data wasn’t physically stored in China, ignoring remote access implications.
  • Failing to transparently disclose China as a data transfer destination in privacy notices from 2021.

These shortcomings resulted in violations of Article 46 (transfer safeguards) and Article 13(1)(f) (transparency requirements).

The TikTok enforcement action significantly expands Schrems II principles beyond U.S.-specific contexts. The DPC established that organisations transferring data globally must scrutinise every jurisdiction, especially countries like China, where the legal protections fall significantly short of EU standards.

TikTok’s critical errors included generalising risk assessments rather than tailoring them to its operations. The DPC found TikTok’s supplementary safeguards, such as contractual and organisational measures, ineffective at mitigating government access risks inherent in Chinese law. TikTok’s safeguards were good on paper but inadequate in practice.

To rectify TikTok’s GDPR transfer breaches, the DPC imposed an order requiring TikTok to bring its processing of EEA user data into compliance with Chapter V of the GDPR and suspending transfers of EEA user data to China. It ultimately decided to impose a fine of €485 million for violating international transfer safeguards (Article 46) and €45 million for transparency violations (Article 13(1)(f)).

The substantial penalties reflect the severity of TikTok’s compliance failures and reinforce the strict approach mandated by Schrems II.

Broader implications and trends

This decision contrasts with other significant GDPR enforcement actions against global technology companies like Meta, Amazon, and WhatsApp. This is the first substantial GDPR ruling directly targeting China-related data transfers. The absence of objections from other EU data protection authorities demonstrates strong regulatory alignment across Europe, marking a notable shift towards coordinated enforcement actions.

Organisations should anticipate heightened scrutiny for transfers to high-risk jurisdictions, including Russia and similar non-EU countries where government surveillance poses significant data protection risks.

Lessons for organisations from TikTok’s GDPR transfers

Organisations can learn several critical lessons from understanding TikTok GDPR transfers:

  • Recognising remote access as a transfer trigger: Remote access by staff or contractors outside the EU automatically triggers GDPR international transfer rules. It doesn’t matter if data remains stored within the EEA — access alone suffices.
  • Conducting specific, country-level assessments: Generic assessments of local laws are insufficient. Organisations must thoroughly evaluate how third-country laws practically affect their specific data transfers, including direct implications for surveillance and judicial protections.
  • Designing targeted safeguards: Technical, contractual, and organisational safeguards must explicitly address risks identified in transfer impact assessments. General or theoretical measures won’t pass regulatory scrutiny.
  • Meeting strict transparency obligations: Transparency requirements are stringent. Organisations must name all countries involved in data transfers and detail precisely how data transfers occur, ensuring clarity in privacy notices accessible to all users.

Actions you can take next

The TikTok case is a watershed moment in GDPR enforcement, setting clear expectations for robust compliance with international data transfer requirements. Organisations transferring data outside the EU must perform detailed assessments, implement tailored supplementary measures, and inform users about transfer practices transparently. This ruling underscores that regulators will no longer tolerate vague compliance efforts, particularly when transferring data to high-risk jurisdictions like China.

Regulatory expectations are evolving rapidly, demanding proactive, specific, and transparent compliance strategies. As TikTok’s case demonstrates, organisations ignoring these lessons risk severe penalties and reputational damage.

Your organisation can: