The recent €485m fine issued by the Irish Data Protection Commission (IDPC) against TikTok regarding personal data transfers to China made headlines for reasons beyond its size. The decision also caught the attention of companies across sectors with operations in China and elsewhere, as it highlights a hardline approach towards international data transfers that may well extend to other jurisdictions not considered ‘adequate’ by the European Commission.
Background: The rules for international data transfers
The core issue for personal data transferred outside the EU is ensuring that they are protected in a way that is ‘essentially equivalent’ to protections available under the EU General Data Protection Regulation (GDPR). For most businesses, this has meant concluding so-called Standard Contractual Clauses (SCCs), issued by the European Commission, between the data exporter (the entity based in the EU) and the data importer (the entity based in a country outside the EU, eg, China).
Since the Schrems II decision by the European Court of Justice in 2020, merely concluding SCCs in itself is no longer sufficient. Businesses must also conduct a so-called Transfer Impact Assessment (TIA), documenting the specific circumstances of the transfer, continually analysing and documenting the impact of local laws and practices in the destination country and outlining the additional safeguards the company has put in place to minimise the risk of overly broad (governmental) access to personal data processed abroad (eg, encryption or sharing pseudonymised data, where personal identifiers have been removed before sharing).
The IDPC's decision: raising the bar
The IDPC's inquiry into TikTok focused on alleged transfers of European user data to China. The IDPC argued that TikTok failed to adequately ensure and demonstrate that data transferred to China received protection equivalent to EU standards – particularly before TikTok began implementing its significant EU data governance strategy. This strategy includes storage of EU user data in the EU, strict access controls, deployment of privacy enhancing technologies and independent external reviews. The IDPC nevertheless highlighted concerns that certain Chinese laws (eg, Anti-Terrorism Law and the National Intelligence Law) could theoretically require the company to grant authorities in China access to EU user data – regardless of whether such access had actually occurred or was in fact possible or likely from a technical perspective.
TikTok argued that it never provided EU user data to Chinese authorities and has since invested heavily in an ‘industry-leading data security initiative’ (reportedly costing €12bn) to mitigate potential risks stemming from potential access to EU user data from China (eg, for technical maintenance purposes).
While the fine mainly relates to the period before the full implementation of these data security measures, the IDPC's stance points to a very restrictive approach in assessing personal data transfer risks more generally. In particular, the IDPC exercised its corrective powers ordering TikTok to cease data transfers to China. This occurred despite TikTok seemingly having implemented state-of-the-art security measures to ensure that only limited amounts of pseudonymised and non-sensitive EU personal data can be remotely accessed by staff in China under very restricted circumstances. Authorities in China should therefore generally not be able to extend their jurisdiction to access such data.
The decision was widely criticised for its overly restrictive approach. Following TikTok’s appeal, the High Court of Ireland temporarily suspended the IDPC’s order, allowing TikTok to continue operations in which EU user data can – under certain limited circumstances – be remotely accessed by certain staff in China.
Risk-based vs zero-risk approach
Although the full text of the IDPC's decision is still to be released, it appears to align with regulatory practices that require the risk of access by authorities in the respective country to be categorically excluded (a so-called ‘zero-risk approach’). However, a zero-risk approach would effectively restrict global operations by EU businesses, as it is difficult or impossible to prove that there is no risk of governmental overreach in non-EU countries – including key EU allies and partners – even if governmental access scenarios are purely hypothetical.
A zero-risk-approach is also inconsistent with the practices of many EU businesses with global and decentralised operations in third countries, particularly when certain functions like IT are outsourced. The more common standard is a traditional ‘risk-based’ approach. Under this approach, businesses assess the likelihood and impact of potential data access by foreign authorities and implement proportionate safeguards – with the understanding that the materialisation of such risks does not need to be zero. Under a risk based approach, remaining low or hypothetical residual risks must be considered in a TIA, but they do not block the possibility of cross-border personal data flows, as the IDPC’s approach in the TikTok decision suggests.
Arguments against the IDPC’s approach
There are convincing legal arguments against the stricter approach taken by the IDPC. Firstly, there is no evidence in the GDPR supporting such an approach. Furthermore, the following reasons support a more risk-based standard:
- SCC wording: The SCCs suggests that a TIA should be based on an overall assessment that considers the practical application of laws and any documented experience with access requests (Recital 20). This implies that the specific likelihood of a foreign authority actually accessing data, not just its theoretical possibility, should guide the assessment.
- Proportionality: Requiring the elimination of all hypothetical risks would be disproportionate, especially where robust technical and organisational measures are in place and there is no evidence of foreign governmental access. TikTok argued that it had obtained expert legal opinions assessing the level of access possible under Chinese law, concluding that authorities lacked a legal basis to access EU user data. This legal analysis was supported by technical safeguards to prevent unauthorised access. However, the IDPC appears not to have fully considered these specific safeguards and generally assumed that Chinese jurisdiction would apply – even where no data is stored in China[1] or access by Chinese staff is limited to specific circumstances and protected by particular safeguards.
- Operational impact: By insisting on excluding any theoretical data access risk, the IDPC’s decision could effectively isolate EU businesses from global services and markets. This restrictive approach ignores business realities: businesses operate by managing risk, not by achieving a hypothetical state of zero risk.
Strategic outlook: Navigating an uncertain path (even beyond China)
Looking ahead, the IDPC’s decision is likely to have implications beyond data transfers to China. For example transfers of personal data to India could face similar scrutiny. A study prepared for the European Data Protection Board found that Indian legislation includes widespread exemptions for governmental access to personal data. The European Data Protection Supervisor – the authority ensuring EU institutions comply with the GDPR – recently blocked the European Investment Bank’s data transfer to India, citing significant concerns over the adequacy of personal data protection.
More generally, the IDPC’s approach shows that supervisory authorities are increasing their scrutiny, with higher expectations for safeguarding international personal data transfers. Given ongoing legal challenges to such decisions, it will likely take time before companies gain legal certainty around the requirements and reasonable expectations under the GDPR. That said, we do not believe that businesses should adopt a zero-risk approach. Experience with supervisory authorities across Europe shows that well-documented, carefully-considered TIAs can still be deemed sufficiently robust – even if some risk of governmental access cannot be fully excluded – as long as the likelihood of the risk materialising is very low and the transfers are safeguarded by appropriate technical and organisational measures.
In light of the above legal arguments, there is an expectation that the Irish – and potentially European – courts dealing with the TikTok decision, and similar cases, will reinforce these principles and favour a more risk-based approach. While such an approach still requires a case-by-case TIA and does not offer absolute legal certainty, it enables international personal data transfers and avoids outright bans on sharing personal data with certain jurisdictions.
As part of its competitiveness and simplification agenda, it is worth noting that the European Commission is currently exploring ways to reduce the GDPR compliance burden – potentially through targeted amendments to the regulation. During the 2024 review of the GDPR, the Commission’s Multistakeholder Expert Group confirmed that SCCs ‘remain the most used for data transfers outside the EU,’ noted that TIAs are ‘burdensome, costly and time-consuming’ and called ‘for additional guidance (eg, on the responsibilities of involved parties and the level of detail required) and tools to help companies carry out TIAs (eg, templates, general country assessments, risk catalogues).’ This would appear to be an obvious opportunity to reduce and simplify the compliance burden and increase legal certainty for businesses of all sizes – and it will be interesting to see whether it becomes a priority for the Commission following this decision.
[1] Subsequently, on 10 July 2025, the IDPC opened a separate inquiry into TikTok transfers of EEA users’ personal data to servers located in China