- Data Transfers beyond the EEA
The transfer of personal data to third countries represents a particularly complex issue within the European Union (EU) data protection framework.[1] On the one hand, the European legislator recognises the need to enable such transfers to facilitate commercial relations with non-EU countries. On the other hand, this objective must be reconciled with the fundamental right to the protection of personal data, as guaranteed within the European Economic Area (EEA). For this reason, the GDPR allows personal data to be transferred outside the EEA only where the data controller can ensure that the protection level remains equivalent to that provided within the EU. This principle is reflected in the safeguards and conditions laid down in Chapter V of the GDPR.
In recent years, platform-based companies, such as TikTok, have been subject to scrutiny by supervisory authorities responsible for ensuring compliance with GDPR obligations. These authorities have initiated proceedings which, on several occasions, have resulted in decisions of significant legal relevance, thereby attracting considerable attention within the academic legal community.[2]
Among the most recent developments is the decision issued on 2 May, whereby the Irish Data Protection Commission (DPC) concluded its investigation into TikTok, focusing on two principal issues.[3]
The first issue the Authority considered was the lawfulness of the company’s transfers to China of personal data collected from users located within the EEA. In particular, the investigation aimed to determine whether TikTok had provided appropriate safeguards within the meaning of Article 46 of the GDPR. As a consequence, the second issue concerned the policy for the processing of personal data, provided by the data controller, which complied with the transparency requirements set out in Article 13 of the GDPR, specifically regarding the hosting provider’s intention to transfer such data outside the EU.
- The Lawfulness of TikTok’s Data Transfers to China
The issue of transferring personal data abroad is a recurring and unsolved problem. Before delving into the questions of the cases, it is crucial to recall that Article 44 enshrines the overarching principle that such transfers are permissible only where the level of protection afforded to personal data remains essentially equivalent to that guaranteed within the EU. This requirement can be satisfied through two main legal mechanisms.
First of all, by Article 45, transfers may take place where the European Commission has adopted an adequacy decision, confirming that the third country offers sufficient guarantees. However, only a limited number of countries currently benefit from such recognition, and the People’s Republic of China (PRC) is not among them.
In the absence of an adequacy decision under Article 45, Article 46 offers an alternative, albeit subsidiary, legal basis for transferring personal data to third countries. Such transfers are permitted only if the data controller can demonstrate that appropriate safeguards are in place and that the legal framework of the recipient country ensures a level of protection essentially equivalent to that required by the GDPR. These safeguards, set out in paragraphs 2 and 3 of Article 46, differ in their requirements: those in paragraph 2 do not require prior authorisation, whereas those in paragraph 3 must be approved by the competent supervisory authority.
Among the safeguards exempt from authorisation are the standard contractual clauses (hereafter, SCCs) set out in Article 46(2)(c) of the GDPR, which are widely used by data controllers. These model data protection clauses, approved by the EC, contain specific safeguards, including binding contractual obligations imposed on both the data exporter and the data importer. Those are precisely intended to ensure a high level of data protection and to guarantee that personal data transferred to third countries are processed in accordance with the principles enshrined in the GDPR.
Coming back to the case at hand, the TikTok platform is subject to Chapter V of the GDPR, which mandates data controller to verify and demonstrate that the laws of the PRC ensure a level of protection that is essentially equivalent to that provided for by the GDPR.
According to the findings of the DPC, TikTok violated Article 46 of the GDPR, as the investigation revealed that some Chinese laws, including the Anti-Terrorism Law, the Cybersecurity Law, the Counter-Espionage Law, and the National Intelligence Law, do not allow for the conclusion that an adequate level of protection, in line with the standards set by the GDPR within the EEA, is ensured.
As a result, the DPC found that TikTok was unable to properly assess the level of protection provided by the Chinese legal framework and had consequently failed to implement supplementary measures or adopt SCCs capable of ensuring a level of protection equivalent to that guaranteed within the EEA.
On these bases, the DPC concluded that TikTok had infringed Article 46(1) of the GDPR by carrying out unlawful transfers of personal data to China. It therefore imposed an administrative fine of €485 million. In addition, the DPC adopted two corrective measures: firstly, it ordered TikTok to bring its data transfers to third countries into compliance with Chapter V of the GDPR within six months from the date on which the final decision becomes definitive; secondly, it ordered the suspension of data transfers to China, to take effect should the company fail to comply within the prescribed timeframe.
- The Transparency of TikTok’s Privacy Policy
The second issue, examined by the DPC in its final decision, concerns TikTok’s compliance with the transparency requirements under Article 13 para. 1 of the GDPR, in cases where the hosting provider collects personal data from the data subject.
In such cases, the provision requires the controller to inform the data subject of specific elements, including, among others, the identity and contact details of the controller, the purposes of the processing for which the personal data are intended, and any recipients of data. Among these, particular importance is given to point (f), which plays a central role in the present case: the DPC found that the EEA Privacy Policy, adopted by TikTok in 2021, was inadequate considering the requirements set out in Article 13 para. 1, lett. f of the GDPR. Specifically, the data controller shall inform the user, from whom the data were collected, of its intention to transfer the personal data to a third country; on the other hand, the controller shall indicate the appropriate safeguards in place, as well as the means by which to obtain a copy of the transferred information on where those data have been made available.
In the case under examination, the DPC found that TikTok had violated the transparency obligations under Article 13 para. 1, lett. f of the GDPR. According to the investigation, TikTok’s EEA Privacy Policy did not specify the third countries to which the collected data were transferred, nor did it provide information regarding the nature of the data processing operations involved. In particular, the EEA Privacy Policy failed to mention remote access to the data, stored in Singapore and the United States, by TikTok personnel based in China.[4]
- TikTok’s Reaction to the DPC’s final decision
Following the publication of the DPC’s decision, TikTok promptly responded. In a statement released by the Head of Public Policy and Government Relations, the platform announced its intention to appeal the Irish authority’s decision[5].
In its statement, TikTok argues, on the one hand, that it has never received requests from Chinese authorities for access to the personal data of European users; on the other hand, it contests the fact that the DPC did not adequately consider “Project Clover”[6], launched in 2023, which involves the construction of a data centre in Europe to ensure that any transfers to third countries are supervised by a leading European cybersecurity company.
Finally, the platform rejects the alleged violations of Article 46 para. 1 and 13 para. 1, lett. f) GDPR maintains that it implemented SCCs to ensure tightly controlled access to data by employees based in countries lacking an adequate decision and that it clearly explains these mechanisms in its Privacy Policy.
Clearly, the saga of the transfer of personal data is far from being ended.
[1] Ex multis, see P. Guarda-G. Bincoletto, Diritto comparato della privacy e della protezione dei dati personali, Milano, 2023, 131 ss.
[2] As an example, see the final decision of the DPC, Data Protection Commission announces conclusion of inquiry into Meta Ireland, in https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland.
[3] DPC, Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China, in https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following – _ftn1.
[4] It is to be noted that in determining the amount of the administrative fine, the authority considered the fact that, in December 2022, TikTok amended its EEA Privacy Policy to bring it into compliance with the standards laid down by the GDPR. Accordingly, the DPC considered the infringement to be limited to the period between 29 July 2020 and 1 December 2022 and imposed an additional administrative fine of €45 million for failing to adequately inform users about the potential transfer of their personal data to third countries.
[5] TikTok, Our Response to the Irish Data Protection Commission Decision on Data Transfers, in https://newsroom.tiktok.com/en-eu/our-response-to-the-irish-data-protection-commission-decision-on-data-transfers.
[6] TikTok, Project Clover update: Enhanced data security with Norwegian data centre fully online, in https://newsroom.tiktok.com/en-eu/project-clover-update-enhanced-data-security-with-norwegian-data-centre-fully-online.
