Today, our main course is a long summary of the DPC’s sanction to TikTok—because the occasion deserves it—and, for dessert, a selection of five: just five essential links this week.
If you want to skip the TikTok stuff, scroll down a bit.
(ii) bans on continuing to transfer EU users’ data to China and processing it there (more precisely, “from there”, since most data is stored outside China).
But as often happens in these cases, the rest of us are going to be splashed by this too.
This resolution blows up 99% of the “Transfer Impact Assessments” or TIAs you might come across out there, and of the “additional measures” that are often presented as sufficient to compensate for the “shortcomings” detected in intelligence laws versus the European protection standard.
That is, this resolution calls into question ALL transfers based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). It also shows the limited scope of the famous reports commissioned by the EDPS on China, Russia, and India; and on Mexico and Turkey (Mileu I and II), since the DPC decided to accept those presented by TikTok from large local law firms and specialists.
And it reminds us that, to the authorities’ taste, the data subject is not free to consent to whatever they want.
You are reading ZERO PARTY DATA. The newsletter about tech news from the perspective of data protection law and AI by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter leaves us, we like solving complex matters in personal data protection and artificial intelligence. If you have any of those, give us a wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up!
Context
This decision (with the participation of the EDPB and the authorities from the Netherlands, CNIL, and Germany (Berlin)) has implications for everyone:
ByteDance made an effort to store Europeans’ data outside China (its famous “Project Clover”), but AH! if access and reading is possible from China, that country, it’s not possible to guarantee “protection of rights equivalent to the European one.”
The legitimization problem with China is not in the SCCs used, but in the TIA (transfer impact assessment) which was as generous and optimistic as any you might read day to day: it focused on the strongest arguments and glossed over everything else—in particular, it never explained the possibility of remote access and reading from China of users’ data stored in the USA, Malaysia, and Singapore.
The “differences” between Chinese and European “intelligence laws” may be a “bug” or a “feature”, depending on how important you find respect for citizens’ fundamental rights.
But this post is about something else.
The result for the DPC is that China does not meet the “equivalence of European protection” (and no country does—only some are blessed with a “Commission adequacy declaration”).
To comply you’d need...
Additional measures: TikTok offers state-of-the-art big-platform measures, but of course, these only work against third parties, not against its own employees in China. (Remember: the problem is remote access from China to data stored anywhere.)
So these measures don’t solve anything.
And always remember:
The insufficiency of the TIA and additional measures doesn’t just affect organizations relying on SCCs for their transfers: it also affects those using Binding Corporate Rules.
Article 49 GDPR exceptions. As the icing on the cake, the DPC declares—with the EDPB behind it—that a single data subject’s consent cannot legitimize recurrent and ongoing data transfers in a case like this.
But let’s get to the details of the Resolution:
Scope and Context of the Investigation
The DPC’s investigation covers from July 29, 2020 (just after the Schrems II ruling) to May 17, 2023 (just before, though unrelated to, the approval of the US DPF).
Material scope:
Breaches linked to transfers of EU Users’ data to China consisting of remote access by staff of ByteDance Group companies located in China, even though the personal data was stored on servers outside China.
“Chinese balls” (it could have been much worse)
They should have imposed triple the fine: The DPC based its resolution on statements from TikTok Ireland that data was not stored in China (the sanctioned transfer is remote access from China to servers outside that country).
However, TikTok Ireland later revealed (in April 2025) that it WAS storing European user data on servers in China. These revelations were not considered in this sanction.
Questions reviewed by the DPC:
1. Was it lawful to rely on the 2010 Standard Contractual Clauses (SCC) and, subsequently, the 2021 ones? For these purposes…
2. Did TikTok Ireland correctly assess the level of personal data protection in China (the “essential equivalence” to the European protection level: that elusive concept)? Guess.
3. Effectiveness of the, haha, supplementary measures;
4. Could TikTok rely on Article 49 GDPR exceptions?
5. Compliance with the transparency obligations of Article 13.1.f) GDPR.
Essential Equivalence and Article 46 (Questions 1 and 2)
Remember that for data transfers to a third country to comply with Article 46 of the GDPR (in the absence of an adequacy decision—which isn’t here, nor expected), the exporter must verify, guarantee, and be able to demonstrate that the level of personal data protection is essentially equivalent to that guaranteed by the GDPR within the European Union.
TikTok Ireland used the SCCs (Standard Contractual Clauses)—those from 2010, then 2021 when published—as the relevant transfer tool. In its Transfer Impact Assessments (TIAs), TikTok Ireland recognized that the Chinese legal framework did not reach the European standard in several aspects and that, “considered alone”, the SCCs would not ensure essential equivalence.
The Chinese Trojan horse, or the clever idea to support their compliance claim and offset these shortcomings, was the principle of territoriality:
China demands respect (in the sense of non-interference in its own national affairs and, reciprocally, respects the same principle in its public and private international relations).
As a result, Chinese authorities are not legally empowered to force disclosure of data not stored domestically in China, or don’t do so de facto.
The DPC rejected this conclusion.
Despite three legal reports from Chinese firms and a fourth from Clifford Chance—China Office—(more on this one later, because holy moly), all emphasizing the lack of Chinese extraterritorial jurisdiction to access data stored abroad, the DPC held that TikTok Ireland did not respond to repeated requests for clarification regarding the possibility of remote access (and legal treatment of) ByteDance personnel in China to Europeans’ personal data hosted in Singapore, Malaysia, and the US.
The Clifford Chance Thing
The DPC documents only two details of this report. The second is gold:
The first: judge for yourself:
The second: a report signed by Nobody:
Supplementary Measures (Question 3)
TikTok Ireland: “I have implemented the most modern and advanced technical (like data encryption in transit and at rest), contractual and organizational measures.”
DPC: “Yes, my dear, you’ve implemented the standard measures for any platform of this size. These measures protect the data against third-party attackers, yes, but they don’t prevent your Chinese staff from remotely accessing the data stored outside China. These staff could access the data in plain text (decrypted) to perform maintenance and support operations.
And if Chinese authorities order your folks in China to remotely access European users’ data, they will do so without violating that cute principle of territoriality you mentioned.”
Article 49 Exceptions (Question 4):
TikTok Ireland did not invoke Article 49 exceptions during the investigation, but very much like Meta, it explicitly reserved the right to do so if, as was very likely, the DPC ended up hitting them with its decision.
So the DPC analyzed its possible future use and reached two conclusions.
First, it reminds us that Article 49 cannot legitimize the Data Transfers under investigation, because they are of a systematic, repetitive, and continuous nature.
And the exceptions, like contractual necessity (Article 49.1.b) or compelling legitimate interests (Article 49(1) II), must be interpreted strictly and are intended for occasional or non-repetitive transfers. The EDPB has said this many times.
But pay attention to what it says about consent:
Consent must be specific for the particular data transfer/set of transfers. One of the requirements of valid consent is that it must be specific. In order to constitute a valid ground for a data transfer pursuant to Article 49.1.a), hence, consent needs to be specifically given for the particular data transfer or set of transfers
Since consent must be specific, it is sometimes impossible to obtain the data subject’s prior consent for a future transfer at the time of the collection of the data, e.g. if the occurrence and specific circumstances of a transfer are not known at the time consent is requested, the impact on the data subject cannot be assessed.
Nothing new under the sun: The EDPB had already said this in its guidelines specifically about Art. 49. And back when it was WP, with a reminder in footnote in the 5/2020 consent guidelines:
According to Article 49 (1)(a) GDPR, explicit consent can lift the ban on data transfers to countries without adequate levels of data protection law. Also note Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995 (WP 114), p. 11, where WP29 has indicated that consent for data transfers that occur periodically or on an on-going basis is inappropriate.
What, IMHO, hadn’t yet been applied de facto is that, considering the circumstances of the TikTok case and applying the above:
The DPC finds that the requirement that consent be “explicit” and that it relate to “the proposed transfer” precludes a single consent being obtained for continuous and ongoing data transfers and/or different sets of transfers. The DPC is also of the view that seeking a single open-ended consent for continuous and ongoing data transfers and/or different sets of transfers is not compatible with the obligation to inform the data subject of the possible risks of the transfers being made.
Transparency and Article 13.1.f (Question 5)
Article 13.1.f GDPR obliges the controller to inform the data subject about transfers to a third country, the transfer mechanism used, and how to obtain a copy of the safeguards.
According to the DPC, the EU Privacy Policy from October 2021:
Did not explicitly identify China as the third country recipient of data via SCCs; and
Did not adequately describe that the transfer consisted of remote access from China to data stored in Singapore and the United States.
The Privacy Policy updated in December 2022 was compliant, which was considered to mitigate the penalty for this breach.
Sanctions:
Order to Suspend Transfer of EU users’ personal data to China (Article 58.2.j): Considered a necessary and proportionate measure as TikTok failed to verify or guarantee equivalent protection for European users’ data.
Order to cease unlawful data processing in China (Article 58.2.d): TikTok Ireland was ordered to end unlawful processing in China of EU User Data transferred in breach of the GDPR.
Administrative fines (Article 58.2.i): Fines were imposed in addition to the orders.
· Breach of Article 46(1) (transfer of data without guaranteeing essential equivalence): €485 million.
· Breach of Article 13(1)(f) (failure to fulfill transparency obligations): €45 million.
The total fines imposed amount to €530 million.
Deadlines:
The two orders (suspension of transfers and regularization of data processing in China) will apply six months after (i) the deadline to appeal the DPC’s final decision expires or (ii) any EDPB decision is sought to be annulled, whichever is later.
Bonus clip
There’s always an argument that sounded spectacular in someone’s head, but turns out not to be such a big deal (or it’s not you landing the punch).
In that huge La Caixa sanction we had the thing about the linguistic expert who had validated the informative text, and here we see a literal reading of the Collins dictionary entry for “storage”. Veeeery Lionel Hutz.
TikTok Ireland’s position is that it does not consider that the use of its Remote Access Solution results in any “storage” of EEA User Data in China. TikTok Ireland’s definition of “storage” is premised on providing “a location for data when it is not being used, so that it can be later retrieved for any purpose.” It relies on definitions of “storage” in the Oxford English Dictionary “the action of storing or laying up in reserve” or store “a stock of anything… laid up for future use”; and the (ii) Collins Dictionary “If you refer to the storage of something, you mean that it is kept in a special place until it is needed”. On that basis, TikTok Ireland does not consider that the processing carried out in China in connection with the Remote Access Solution is storage or a storage solution.
And for dessert… five links
1.- Don’t get it wrong: Deloitte’s blunder with the Australian Government is not a technology problem: it’s a governance problem, typical of those places that charge partner rates for work done by a junior with ChatGPT. You’d be dumb (as would Deloitte) not to use AI in your work.
What matters is somewhere else.
2.- The long read that brightened my Sunday morning: Tim Berners Lee (the man who gave us the world wide web, has a few things to say about these times we’re living in).
3.- Looking for some effective storytelling examples to help your audience understand (and not forget) exactly what decisive human oversight should be under the GDPR and the AIA? You’ve found them. Katalina Hernández has you covered.
