Irish regulator rules remote access constitutes data transfer

The Irish Data Protection Commission issued a landmark decision on April 30, 2025, determining that when staff in a third country remotely access personal data of European Economic Area users, that access itself constitutes a transfer under the General Data Protection Regulation. The ruling, which resulted in a €530 million administrative fine against TikTok Technology Limited, stems from an inquiry commenced on September 14, 2021.

According to the DPC decision, TikTok's Chinese-based employees could access EEA user data remotely even though the data was stored on servers in Singapore and the United States. The regulator concluded this remote access meant the data was effectively processed in China, triggering Chapter V GDPR requirements for international data transfers. The decision document states: "When staff in a third country can remotely access EEA users' data, that access itself constitutes a 'transfer.'"

Technical framework of remote access

TikTok maintained that EEA user data was stored on servers in data centers located in Singapore and the United States, operated respectively by TikTok Pte. Limited and TikTok Inc. The platform also utilized external cloud providers located outside of China. According to the DPC inquiry documents, TikTok developed internal web-based tools to control remote access to EEA user data, including access by support services in China.

The remote access system integrated authentication, authorization, and audit functions across internal systems. Permissions were granted based on least privilege principles, allowing only necessary access for employees to accomplish their job functions. Employees requesting data access submitted applications following defined approval workflows based on sensitivity levels.

Under this framework, personnel in China accessed EEA user data by logging in successfully, connecting to the network, and signing into particular applications or databases containing resources. Duration of specific remote access authorizations was generally limited to no more than 12 months. Authorization occurred on a role-specific basis rather than entity-wide, meaning only personnel whose roles required data access received permissions.

Storage location and Chinese law application

TikTok argued that since data was not stored in China, Chinese law should not apply to the processing. The DPC disagreed with this interpretation. The regulator's position established that if data can be accessed within China, controllers must prove that Chinese law cannot realistically reach it.

The decision affects transfers occurring through 26 China Group Entities initially listed in October 2021, later reduced to 16 entities by October 2022. These entities acted as processors within Article 4(8) GDPR definitions on behalf of TikTok Ireland. Personnel accessed limited EEA user data through case-by-case permissions in their capacity as service providers and processors or sub-processors.

The March 2021 data transfer assessment preceded the formal inquiry commencement by approximately six months. TikTok submitted updated transfer assessments in October 2021, October 2022, December 2022, October 2023, and July 2024, reflecting ongoing changes to Chinese law, supplementary measures, and the China Group Entities involved.

Standard contractual clauses and adequacy requirements

The temporal scope of the inquiry examined data transfers from July 29, 2020, through May 17, 2023. During this period, TikTok relied on Standard Contractual Clauses adopted by European Commission Decision 2010/87/EU and later transitioned to SCCs from Implementing Decision (EU) 2021/914.

Chapter V GDPR establishes that personal data transfers outside the EEA can only occur if conditions ensuring high levels of protection are met. China has not received an adequacy decision from the European Commission. Without such a decision, controllers must implement appropriate safeguards under Article 46 GDPR, typically through SCCs.

The DPC examined whether TikTok adequately assessed law and practices in China regarding protection levels. This assessment must account for regulatory supervision mechanisms, public authority access provisions, and rights of redress available to data subjects. The regulator found TikTok failed to demonstrate compliance with its obligation to assess Chinese law's reach over remotely accessed data.

Transparency violations and privacy policy deficiencies

Alongside transfer violations, the DPC identified transparency failings under Article 13(1)(f) GDPR. TikTok's October 2021 EEA privacy policy proved inadequate for informing users about third country transfers. The policy failed to name specific countries, including China, to which personal data was transferred. It also did not explain that processing included remote access to data stored in Singapore and the United States by personnel based in China.

TikTok updated its privacy policy in December 2022, following DPC engagement. However, the regulator determined that violations existed during the period when the deficient October 2021 policy remained in effect. These transparency failures prevented users from understanding how their data was being processed and where it could be accessed.

Supplementary measures and Project Clover implementation

Throughout the inquiry, TikTok implemented various supplementary measures beyond standard contractual clauses. Technical measures included system entry controls, encryption protocols, access controls, and network security features. Contractual measures took the form of intra-group agreements implementing the 2010 and 2021 SCCs. Organizational measures addressed general data governance and law enforcement request handling.

In September 2023, TikTok submitted information about Project Clover, described as a program focused on creating a secure enclave for EEA user data with sophisticated access controls. The project involved data center infrastructure, encryption technologies, and access management systems. Implementation milestones extended beyond the inquiry's temporal scope, with updates provided through May 2024.

The DPC considered Project Clover developments when determining appropriate corrective measures. However, these implementations did not alter the fundamental finding that remote access during the inquiry period constituted transfers requiring Chapter V compliance.

Administrative fine calculation and corrective orders

The €530 million penalty comprises two components. TikTok received a €45 million fine for infringing Article 13(1)(f) GDPR regarding transparency requirements. The substantially larger €485 million fine addressed Article 46(1) GDPR violations concerning lawfulness of data transfers.

Beyond financial penalties, the DPC ordered TikTok to bring processing operations into compliance with Chapter V GDPR within six months. The decision included a suspension order under Article 58(2)(j) GDPR, threatening to halt data flows to China if compliance is not achieved within the specified timeframe. The regulator also ordered TikTok to bring processing into compliance under Article 58(2)(d) GDPR.

According to Article 83(2) factors, the DPC evaluated nature and gravity of infringements, intentional or negligent character, mitigation actions taken, degree of responsibility, cooperation levels, affected data categories, and manner in which violations became known. The commission noted TikTok's cooperation throughout the inquiry but determined significant penalties remained warranted given the infringement's scope and duration.

Implications for cross-border data governance

The decision establishes precedent regarding remote access treatment under GDPR. European authorities have accelerated enforcement efforts under both the General Data Protection Regulation and the Digital Markets Act, reflecting broader concerns about platform market dominance and user privacy protection.

The ruling's logic extends beyond TikTok to any organization allowing third-country personnel to remotely access EEA personal data. Controllers cannot rely on data storage location alone to avoid Chapter V obligations. Instead, they must assess whether personnel accessing data are subject to laws incompatible with GDPR protection standards.

For companies with significant positions in semiconductor manufacturers and technology platforms, the decision creates compliance challenges. Organizations must evaluate whether third-country personnel access raises privacy concerns requiring supplementary measures beyond standard contractual clauses.

The DPC engaged all other EU/EEA data protection supervisory authorities as concerned supervisory authorities for the Article 60 GDPR cooperation process. Supervisory authorities from Netherlands, France, and Germany submitted comments during the prescribed four-week consultation period. No supervisory authority raised objections to the draft decision.

Accuracy issues discovered post-decision

On April 9, 2025, after the Article 60(4) consultation period concluded, TikTok informed the DPC that statements made during the inquiry regarding data storage were incorrect. The company reported discovering in February 2025 that some EEA user data had been stored on servers in China, contrary to representations made throughout the inquiry.

TikTok stated it migrated relevant data from China to Singapore on March 21, 2025, and permanently deleted data in China on March 26, 2025. The DPC expressed deep concern that inaccurate information limited the inquiry's scope to remote access transfers only. The regulator indicated it will continue engaging with TikTok on these issues using necessary regulatory powers in consultation with peer EU regulators.

The material scope of the April 30, 2025, decision concerns transfers occurring through remote access to data stored on servers outside China. Transfers resulting in data storage on Chinese servers fall outside this decision's scope but remain subject to ongoing regulatory attention.

Marketing sector compliance considerations

Digital advertising platforms processing EEA personal data face increased scrutiny following this ruling. TikTok's business model depends on sophisticated data processing capabilities requiring cross-border information flows to optimize user experiences and advertising effectiveness. The platform's global user base exceeds one billion, generating substantial advertising revenue through targeted content delivery and user engagement analytics.

Marketing teams must carefully structure data sharing agreements when working across multiple subsidiaries or partnership arrangements. Joint controllers must establish clear arrangements defining respective responsibilities for compliance obligations including data subject rights, security measures, and breach notifications.

The findings create significant compliance challenges for companies utilizing TikTok as part of digital strategy. Organizations investing in TikTok advertising or content creation must evaluate whether participation exposes corporate data or raises privacy concerns for audiences. The combination of regulatory findings about data transfers and extensive terms of service raises questions about appropriate data collection standards across social media platforms.

Privacy advocacy groups have filed complaints against major Chinese technology companies, targeting data transfer practices of platforms including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. These complaints, submitted to authorities across multiple European countries, challenge the legal basis for international transfers under current EU privacy law.

Chinese laws grant authorities extensive access to data processed by Chinese companies. European court decisions have established that supervisory authorities have a duty to act when presented with evidence of privacy violations. The Irish regulator previously opened an investigation after TikTok admitted EEA user data was stored on Chinese servers contrary to previous testimony.

Timeline

• July 29, 2020: TikTok Ireland establishes main establishment status in Ireland for GDPR purposes
• March 26, 2021: TikTok provides initial data transfer assessment for China to DPC
• September 14, 2021: DPC commences own-volition inquiry under Section 110 of Data Protection Act 2018
• October 12, 2021: TikTok submits comprehensive response including October 2021 data transfer assessment
• July 7, 2022: DPC furnishes statement of issues to TikTok Ireland
• September 15, 2022: TikTok submits detailed response to statement of issues
• December 19, 2022: TikTok transitions to 2021 Standard Contractual Clauses and submits updated materials
• May 17, 2023: DPC provides preliminary draft decision to TikTok Ireland
• September 9, 2023: TikTok submits response including Project Clover technical report
• February 21, 2025: DPC circulates draft decision to concerned supervisory authorities under Article 60 GDPR
• April 30, 2025: DPC announces €530 million fine and corrective orders
• January 16, 2025: Privacy group noyb files complaints against Chinese tech firms over data transfer practices
• May 2, 2025: Irish regulator's decision represents one of largest GDPR fines
• July 12, 2025: TikTok faces new DPC inquiry over China data storage violations
• July 17, 2025: Privacy advocates file additional GDPR complaints against major Chinese platforms for access request violations

Summary

Who: The Irish Data Protection Commission, acting as lead supervisory authority under Article 56(1) GDPR, issued the decision against TikTok Technology Limited, a private company registered in Ireland that provides the TikTok platform to users in the European Economic Area. Personnel of 26 China Group Entities (later reduced to 16) accessed EEA user data remotely from locations in China.

What: The DPC determined that remote access to EEA user data by personnel in China constitutes a data transfer under Chapter V GDPR, requiring compliance with Articles 44 and 46. TikTok violated Article 46(1) by failing to adequately assess Chinese law's reach over remotely accessed data and implement effective supplementary measures. The company also violated Article 13(1)(f) by failing to provide adequate transparency information in its October 2021 privacy policy. The regulator imposed a €530 million administrative fine (€485 million for transfer violations, €45 million for transparency violations) and ordered corrective measures including potential suspension of data flows to China.

When: The inquiry examined transfers occurring from July 29, 2020, through May 17, 2023. The DPC commenced the inquiry on September 14, 2021, and issued its final decision on April 30, 2025, following the Article 60 GDPR cooperation process with other EU/EEA supervisory authorities.

Where: The decision concerned personal data of users throughout the European Economic Area, including EU member states plus Iceland, Norway, and Liechtenstein. Data was stored on servers in Singapore and the United States but accessed remotely by personnel located in China. The Irish DPC acted as lead supervisory authority because TikTok Ireland has its main establishment in Ireland under Article 4(16) GDPR.

Why: The decision matters because it establishes that controllers cannot avoid Chapter V GDPR obligations by storing data outside third countries while allowing personnel in those countries remote access. Organizations must assess whether laws applicable to accessing personnel create risks incompatible with GDPR protection standards, regardless of data storage location. For marketing professionals and digital advertising platforms, the ruling creates compliance obligations when any third-country personnel access EEA personal data, requiring robust transfer assessments and supplementary measures beyond standard contractual clauses. The precedent affects technology companies, advertising platforms, and any organization with cross-border data processing arrangements involving remote access from countries lacking adequacy decisions.