The 530 million euro fine by Ireland's Data Protection Commission against TikTok could mark a watershed moment in data transfer enforcement under EU General Data Protection Regulation.
The DPC issued the fine after an investigation found the company did not comply with GDPR data transfer obligations as TikTok's remote access practices allowed European Economic Area user data to be shared with employees located in China. The move served as the first data transfer fine from an EU member state to China.
In an IAPP LinkedIn Live, DPC Deputy Commissioner Cian O'Brien said employees at ByteDance, TikTok's parent company, were granted access to EEA user data for business needs, which also resulted in personal data transfers to China "in circumstances where the transfers were found to be systemic, repetitive and continuous." Despite TikTok not directly storing vast amounts of EU user data on servers in China, "it's very clear that this remote access did result in a very significant transfer of EEA user data to China," O'Brien said.
Remote access enforcement
The DPC's investigation analyzed the company's privacy policies from 2021-23, where it determined TikTok did not sufficiently inform data subjects their data would be transferred outside the EEA. TikTok updated its privacy policy during the probe, though the DPC issued its decision based on aspects of its 2021 policy which claimed, "data was stored on servers outside of China, and that it was the subject of limited remote access by entities in TikTok's corporate group located in China," O'Brien said.
Due to the DPC's investigation findings, the social platform was ordered to bring its data transfer operations into compliance with the GDPR's obligations within six months or face a potential suspension of TikTok's data transfers to China.
While TikTok did acknowledge discrepancies between the EU and China's data protection standards, "it did not adequately define the scope of those divergences. So, it did not consider the divergences in the specific context of the specific transfers," O'Brien said. "TikTok's position was that, as the data was stored outside of China, the divergences in Chinese law do not result in that lack of essential equivalence."
In response to the DPC's fine, TikTok noted the decision focused on the company's data transfer standards before the implementation of its Project Clover initiative, which now stores European users' data "in a dedicated European data enclave."
O'Brien said the DPC considered changes made by TikTok when forming its enforcement decision and determined it was "still necessary" to order the company to bolster its compliance.
Organizational impact
When transferring consumer data to another country, organizations must assess countries' data protection standards and ensure policies regarding the collection and use of data is transparent for consumers.
"Wherever an entity is transferring personal data based on standard contractual clauses, it must not commence those transfers until it has verified and guaranteed an essential equivalent level of protection. And if it cannot do that, it must not proceed with the transfers," O'Brien noted.
The DPC's enforcement against TikTok has gone uncontested by other EU data protection authorities, potentially signaling a trend in DPA enforcement of GDPR's data transfer obligations. O'Brien claimed as the GDPR enters its seventh year of enactment, "there's a lot more certainly in the law which makes it a lot easier for data protection authorities to agree on the correct interpretation on really novel and really tricky points of law."
With major enforcement decisions and hefty fines for organizations, companies should fully address compliance obligations and be able to dispute potential concerns from regulators. If organizations' standard contractual clauses do not "verify and guarantee essential equipment" for their specific data transfers, O'Brien recommended companies "look for alternatives and to look at localization, to look at derogations, and to not commence transfers until they have achieved that level of essential equivalence."
Lexie White is a staff writer for the IAPP.
