The TikTok China decision: A de facto ban on international data transfers?

The Privacy Partnership Podcast with Robert Bateman
29/10/2025 4 min
The TikTok China decision: A de facto ban on international data transfers?

Listen "The TikTok China decision: A de facto ban on international data transfers?"

Descargar episodio

Episode Synopsis

The DPC's TikTok decision is not that surprising if you understand the law, but it's actually a pretty huge deal to see this play out in reality. Are most international data transfers de facto illegal?TikTok enabled remote access to EEA users' personal data in China, purportedly for purposes like maintenance and user support.The DPC said: Remote access is a transfer. Not really surprising based on the post-Schrems II EDPB recommendations.TikTok encrypted the data in transit and at rest and put various other technical and contractual safeguards in place.The DPC said: These measures mean nothing if the Chinese government can undo them. Also not surprising; that was the whole point of Schrems II.TikTok admitted that Chinese law was not "essentially equivalent" to the EU's, but argued that because the data was STORED on EEA servers, the Chinese government could not touch it.The DPC said: Wrong. When the data is accessed on a Chinese employee's laptop, it's *in China*. The Chinese government can access it. That seems like common sense.TikTok said the Chinese government had never requested access to the EEA user data and was very unlikely to ever do so.The DPC said: Irrelevant. There is no "risk-based approach". Just because you say you've never received a request, that doesn't mean you actually haven't, or won't in future.—So from the DPC's perspective, each part of its decision makes sense based on previous EDPB recommendations and case law.But let's put TikTok to one side. What's the cumulative, logical-consequence effect of these findings?If there's no way any employee in China can even *look at* EEA-originating personal data, then transfers to China are effectively illegal.And whose rule-of-law standards *are* "essentially equivalent" to the EU's? If there's no risk-based approach, is the threshold actually impossibly high?India? Singapore? Australia? *Any* country without an adequacy decision?If we flip a switch and automatically applied this decision universally—FULL compliance with the EDPB's interpretation of Schrems II overnight—what happens to the global economy?Whatever your view on TikTok and the Chinese Communist Party, it's worth thinking this one through.

More episodes of the podcast The Privacy Partnership Podcast with Robert Bateman

Up to 40% off UK GDPR fines! The ICO's draft enforcement guidance 04/11/2025
The EDPB's long list of problems with UK data protection standards 21/10/2025
What is going on between the ICO and Clearview AI? The UK GDPR's scope and the meaning of "monitoring behaviour". 15/10/2025
Discord's photo ID breach: Are the UK GDPR and Online Safety Act to blame? 07/10/2025
Tractor Supply: The first CCPA case involving HR data 02/10/2025
LinkedIn's AI training plans are back, but not all users are treated equally 24/09/2025
The ICO is consulting on guidance on the new cookie rules—and whether to enforce them. 18/09/2025
The first criminal prosecution for 'ignoring' a DSAR: More common than we think? 10/09/2025
What does 'without undue delay' ACTUALLY MEAN? IL v Veracash 03/09/2025
More ICO guidance! Recognised legitimate interests 27/08/2025
© 2003-2025 ZARZA | AHEAD OF OUR TIME
privacy policy
In God we trust In God we trust
PreSales Questions? Click Here
or call our toll-free line at +1-888-5002068 Miami, Florida, USA