On May 2, 2025, Ireland's Data Protection Commission fined TikTok €530 million for transferring EEA user data to China without adequate protection. On June 3, 2026, the Irish High Court upheld both the Article 46 and Article 13 violation findings — the liability is established. The fine amount and corrective orders remain subject to further proceedings, but the legal standard the DPC applied to TikTok's transfers is now confirmed by the court and applies to every organization relying on SCCs for data flows to countries without an EU adequacy decision.
Your compliance team signed off on SCCs for your Chinese cloud vendor or your APAC data center. Your transfer risk assessment was completed by an external law firm. Your supplementary measures include encryption. Under the DPC's framework, none of that is sufficient unless you can show specifically — not generally — that those measures prevent the government of the destination country from legally compelling access to your data.
Key Takeaways
- The €530 million fine consists of €485 million for Article 46(1) GDPR (unlawful data transfer) and €45 million for Article 13(1)(f) (failure to inform EEA users their data was transferred to China). The Irish High Court upheld both violation findings on June 3, 2026; the fine quantum and corrective orders remain subject to further proceedings, but the liability itself is confirmed.
- TikTok's failure was not that it lacked SCCs or a transfer risk assessment — it had both. The failure was that neither document substantively analyzed how China's four national security laws applied specifically to TikTok's data flows.
- Generic supplementary measures (encryption, access controls) that protect against unauthorized access do not satisfy Article 46 if they cannot prevent access compelled by the destination country's government. The distinction is critical and widely misunderstood.
What TikTok Actually Violated
The DPC's decision found two separate GDPR violations.
Article 46(1) violation — €485 million. TikTok failed to ensure that EEA user data transferred to China (via remote access by Chinese employees) was protected to a standard essentially equivalent to EU law. TikTok had SCCs in place. It had commissioned transfer risk assessments from a Chinese law firm. Those TRAs acknowledged that Chinese law and practice diverge from EU standards — but they did not examine how four specific Chinese laws applied to TikTok's actual data flows. The DPC found this failure to constitute an inadequate assessment. TikTok's central argument — that China's "territoriality principle" meant Chinese authorities could not compel access to data that was merely accessed remotely but stored in Europe — was rejected. The DPC held that TikTok had not addressed the possibility of Chinese authorities obtaining access to data temporarily processed in China during remote access sessions.
Article 13(1)(f) violation — €45 million. TikTok's privacy policy at the time of the inquiry did not inform EEA users that their personal data was being transferred to China, who would receive it, or what legal mechanism governed the transfer. Article 13(1)(f) requires this information to be provided at the time data is collected. The failure was straightforward and the €45 million fine reflects the number of EEA users whose transparency rights were violated.
The Four Chinese Laws That Created the Equivalence Problem
The DPC's essential equivalence analysis turned on four pieces of Chinese national security legislation:
- Anti-Terrorism Law — empowers security agencies to obtain data from technology companies for counter-terrorism investigations, with no independent judicial oversight comparable to EU standards.
- Counter-Espionage Law — broadly defines espionage to include cooperation with foreign entities in ways that could encompass data flows involving non-Chinese nationals.
- Cybersecurity Law — requires "critical information infrastructure operators" (a broad and opaque category) to store data in China and cooperate with government security assessments.
- National Intelligence Law — requires any Chinese organization or individual to cooperate with national intelligence work, without the possibility of legal refusal.
TikTok's TRAs acknowledged these laws existed. The DPC found the acknowledgment insufficient — the assessment needed to analyze how each law applied to TikTok's specific data flows, what the realistic probability of government access was, and how that probability interacted with the data's sensitivity. That transfer-specific analysis was absent.
Why Project Clover Was Not Enough
TikTok argued that its €12 billion data security initiative, Project Clover, provided sufficient supplementary measures. Project Clover included encryption, access controls, and pseudonymization designed to limit internal employee access to EEA user data.
The DPC and the Irish High Court found these measures insufficient — and the reasoning matters for every organization's supplementary measures design. Project Clover addressed unauthorized access: it prevented employees and third parties who should not have access from obtaining it. It did not address authorized access: it could not prevent a Chinese government authority from legally compelling TikTok to produce data under the National Intelligence Law or the Anti-Terrorism Law.
Generic encryption does not satisfy the Article 46 requirement when the threat is government compulsion, not hacking. Supplementary measures must be designed specifically to neutralize the identified legal risks of the destination country — not to secure the data against ordinary threats that your data security baseline already addresses.
| Measure type | Addresses unauthorized access | Addresses state-compelled access | Satisfies Article 46 for China transfers |
|---|---|---|---|
| Encryption (company-held keys) | ✓ | ✗ — company holds keys and can be compelled | ✗ |
| Pseudonymization (reversible) | Partial | ✗ — reversibility means compelled de-pseudonymization is possible | ✗ |
| Access controls (internal) | ✓ | ✗ — government access bypasses internal controls | ✗ |
| End-to-end encryption (no company key access) | ✓ | ✓ — technically prevents decryption | Potentially ✓ if keys are held outside China |
| Data minimization (transfer only non-identifiable data) | N/A | ✓ — nothing to compel | ✓ for data minimized to below identification threshold |
What Organizations Must Do Now
For any data transfer to China or any other country without an EU adequacy decision:
- Run a transfer impact assessment that goes beyond legal acknowledgment. Identify each Chinese law that applies to your data category and transfer mechanism. Analyze specifically — not generally — whether each law could compel access to the data you transfer, and whether that access would defeat the protections your SCCs provide.
- Design supplementary measures against the identified legal risk, not against generic threats. If your TIA concludes that the National Intelligence Law creates a compulsion risk, your supplementary measure must address that risk specifically — for example, end-to-end encryption with keys held outside the receiving jurisdiction, or data minimization ensuring only non-identifiable data crosses the border.
- Update Article 13 and 14 notices. Identify every third country receiving EEA user data and name it in your privacy notice, together with the transfer mechanism (SCCs, BCRs, or other Article 46 safeguard) and a reference to obtaining a copy.
- Map your China data flows. The DPC's Article 46 analysis applied to remote access by employees in China — a data flow pattern many organizations do not classify as an international transfer because no data physically leaves an EU server. If Chinese employees can remotely access EEA user data, that access is a transfer under the DPC's decision.
Secure Privacy's Privacy & AI Governance Platform provides a Transfer Impact Assessment workflow that maps third-country legal risks to specific supplementary measures, and a Data Map that surfaces China-connected data flows — including remote access patterns — across your processing activities.
Frequently Asked Questions
Does the DPC decision apply only to data transfers to China?
No. The DPC's "verify, guarantee, demonstrate" standard and the essential equivalence framework apply to all Article 46 transfers — to any country without an EU adequacy decision. China has specific legislative characteristics (the National Intelligence Law in particular) that make equivalence especially difficult, but the same analysis is required for transfers to the US, India, Russia, and other non-adequate countries. The TikTok decision makes clear that SCCs plus a superficial TRA are not enough anywhere.
Is TikTok required to stop all transfers to China?
The corrective order that the original DPC decision included (bringing processing into compliance within 6 months) was vacated by the Irish High Court on June 3, 2026, which found the DPC had not adequately considered TikTok's Project Clover measures before issuing it. The corrective order question was remitted to the DPC for reconsideration. The fine is upheld and final. TikTok remains under obligation to bring its transfers into compliance; the form of that obligation is still being determined.
What did TikTok's Article 13 failure consist of specifically?
TikTok's privacy policy did not identify China as a destination country for EEA user data, did not name which entities in China received that data, and did not specify what Article 46 mechanism governed the transfer. Article 13(1)(f) requires all of this to be provided at the time of data collection. The €45 million fine (applied separately from the €485 million Article 46 fine) reflects the scale of the EEA user population whose right to information was violated.
What counts as a "transfer" to China under this decision?
The DPC's decision confirmed that remote access by employees physically located in China constitutes a transfer of personal data under GDPR, even where no data is copied or physically moved to a Chinese server. Any scenario in which a person in China can access, view, query, or process EEA personal data — via a VPN, a shared platform, or a customer support tool — is a transfer that requires an Article 46 safeguard and a compliant TIA.
What is the standard for a compliant TIA after this decision?
The DPC and the Irish High Court established that a compliant TIA must: identify every applicable law of the destination country that could compel access to the specific data you transfer; analyze how each law applies to your specific transfer and data type; assess the realistic probability of government access; and link specific supplementary measures to each identified legal risk. A general acknowledgment that Chinese law differs from EU law is not enough.
What should organizations do if their current TIA is based on the territoriality principle?
Replace it. The DPC expressly rejected the argument that Chinese authorities cannot compel access to data that is stored outside China but accessed by Chinese employees. If your TIA for China-bound flows (including remote access) relies on this reasoning, it does not satisfy Article 46. Commission a fresh TIA that analyzes the four national security laws identified in the DPC's decision against your specific data type and transfer mechanism.
For organizations building or auditing their international data transfer program in response to this decision, Secure Privacy's Privacy & AI Governance Platform provides the Transfer Impact Assessment module, Vendor Management for tracking third-country processors, and the Data Map infrastructure needed to surface every China-connected data flow in scope.




