Earlier this month, the Irish Data Protection Commission (DPC) concluded its investigation into TikTok and issued a decision finding the company in violation of the GDPR. As a penalty, the DPC imposed administrative fines totaling €530 million and ordered TikTok to bring its data transfer practices into compliance within six months. If TikTok fails to do so, it will be required to suspend the transfer of personal data to China.
The DPC identified two major violations, relating to TikTok’s transfer of personal data of users in the European Economic Area (EEA) to China and its failure to meet transparency obligations.
First, TikTok did not conduct a proper assessment of the legal environment in China, nor did it ensure that the supplementary measures and Standard Contractual Clauses (SCCs) provided a level of data protection essentially equivalent to that within the EU. The company also failed to perform case-by-case assessments of the specific transfer scenarios involved. The DPC rejected TikTok’s argument that storing data in Europe was sufficient, finding that remote access by engineers based in China constituted a data transfer in practice. On this basis, TikTok was fined €485 million for breaching Article 46(1) of the GDPR.
In addition, the DPC imposed a €45 million fine on TikTok for violating Article 13(1)(f) of the GDPR, due to the lack of clarity in the 2021 version of its privacy policy regarding international data transfers.
Cross-border transfers of personal data are not rare occurrences and must be addressed with caution and attention to compliance. This responsibility applies not only to large corporations but also to small and medium-sized enterprises involved in data transfers. In a recent discussion with IAPP, the Deputy Commissioner of the DPC emphasized that companies should map the specific routes of their data transfers and assess each scenario individually. Where essential equivalence cannot be guaranteed, organizations may consider relying on the derogations under Article 49.
It is also important to note that intra-group data transfers within multinational companies are not subject to reduced obligations simply because the transfers occur within a corporate group. To avoid the burden of negotiating separate agreements between multiple entities, a Intra Group Data Transfer Agreement (IGDTA) supplemented by a legal basis for data processing can be an effective and efficient solution for achieving compliance.
New ePrivacy template for an intra-group data transfer agreement (IGDTA)
We have developed a new template for an IGDTA that facilitates the contractual conclusion of data transfers within a group of companies. Please contact us if you would like us to assist you in concluding such an IGDTA.