TikTok decision highlights enforcement risks associated with international data transfers

In April 2025, the DPC adopted a final decision following an inquiry into the lawfulness of TikTok’s transfers of EEA user personal data to China (which occurred through remote access by TikTok personnel based in China) and certain related transparency issues. In its decision, the DPC found that:

• TikTok had breached Article 46(1) GDPR in failing to verify and guarantee that the standard contractual clauses and supplementary measures that it had in place in respect of such transfers were effective in providing a level of protection that was essentially equivalent to that guaranteed within the EU.
• TikTok had breached its transparency obligations under Article 13(1)(f) GDPR by failing to provide data subjects with sufficient information about such transfers (including the fact that the relevant personal data, which was stored on US and Singapore based servers, was subject to remote access by TikTok personnel based in China).

In finding that TikTok had breached Article 46(1) GDPR, the DPC placed emphasis on the fact that TikTok had failed to adequately assess the extent to which Chinese law and practices would protect the personal data being transferred, despite TikTok demonstrating that it had previously carried out several transfer impact assessments concerning its data transfers to China. The DPC found that such failure directly impacted TikTok’s ability to select appropriate safeguards and supplementary measures for the transfers and prevented it from verifying and guaranteeing an equivalent level of protection for the relevant personal data.

For organisations engaged in international data transfers, particularly to high-profile jurisdictions, this aspect of the DPC’s decision highlights the importance from a regulatory perspective of conducting thorough and nuanced assessments of the impacts of proposed international data transfers to properly inform which appropriate safeguards and supplementary measures should be put in place.

The DPC imposed two administrative fines totalling €530 million for the above breaches and ordered that TikTok suspend the relevant data transfers and bring its processing into compliance. TikTok has appealed the DPC’s decision and has obtained a stay on the DPC’s suspension and corrective orders pending the outcome of its appeal.

EDPB publishes finalised guidelines on responding to third country authority data transfer requests

In June 2025, the EDPB adopted the final version of its Guidelines (02/2024) on Article 48 GDPR, which provide guidance on responding to requests to transfer or disclose personal data from third country (i.e., non-EEA) authorities.  Some of the key takeaways from these Guidelines include:

• Judgments or decisions from third country authorities cannot automatically and directly be recognised or enforced in the EU absent an applicable international agreement.
• Regardless of whether an applicable international agreement exists, a controller or processor that receives a request from a third country authority to transfer or disclose personal data must: (i) identify an appropriate lawful basis for such transfer under Article 6 GDPR, and (ii) ensure that the transfer complies with the requirements of Chapter V GDPR.
• An international agreement may in certain circumstances provide both a valid lawful basis (under Article 6(1)(c) or Article 6(1)(e) GDPR) and a ground for the transfer of the relevant personal data (under Article 46(2)(a) GDPR).
• Where there is no applicable international agreement or the international agreement concerned does not provide an appropriate lawful basis and/or ground for the requested transfer, another lawful basis or ground for transfer may be considered carefully and on a case-by-case basis by the entity that is subject to the request.

General Court rejects EU-US Data Privacy Framework annulment challenge

In September 2025, the General Court of the EU upheld the validity of the EU-US Data Privacy Framework (DPF) in dismissing an annulment action brought against the DPF by a French MP, Mr Philippe Latombe (Case T-553/23; “Latombe”).

Personal data may be transferred from the EEA to US-based companies participating in the DPF without the need for additional safeguards such as standard contractual clauses to be put in place under Article 46 GDPR on the basis of Commission adequacy decision (EU) 2023/1795.

In dismissing the action, the General Court rejected several arguments raised by Mr Latombe, including allegations that:

• The Data Protection Review Court established under the DPF did not amount to an independent and impartial tribunal.
• Bulk collection of personal data by US intelligence agencies infringed Articles 7 and 8 of the Charter of Fundamental Rights.

The Latombe decision is currently under appeal to the Court of Justice of the European Union.

Adequacy decisions – key developments

In December 2025, the Commission renewed its 2021 UK adequacy decisions under the GDPR and Law Enforcement Directive which recognised that the UK’s legal framework provides a level of data protection that is essentially equivalent to that of the EU. These adequacy decisions allow personal data to flow freely to the UK without the need for data exporters to implement additional safeguards.

The renewed adequacy decisions will continue until 27 December 2031 with the possibility of further renewal thereafter. During this period, the Commission will monitor material developments in the UK on an ongoing basis in order to ensure that it continues to provide an essentially equivalent level of data protection.

The latter part of 2025 also saw several key developments in the long-awaited recognition of Brazil as a country that ensures an equivalent level of data protection to that of the EU, beginning with the draft Brazilian adequacy decision published by the Commission in September 2025 and followed by the EDPB’s opinion on the draft adequacy decision issued in November 2025. 

More recently, on 27 January 2026, the Commission and Brazil formally adopted mutual adequacy decisions confirming that each jurisdiction provides an equivalent level of protection of personal data. The effect of such adequacy decisions is that personal data can flow freely between the EU and Brazil without the need for data exporters to implement additional safeguards.

The authors would like to thank Vivienne O’Keeffe for her contribution to this briefing.