Privacy Concerns Persist as TikTok Continues EU Data Transfers to China

Key Takeaways

• Unlawful Transfers Identified: EU privacy regulators have determined that TikTok’s transfers of European user data to China breach the GDPR.
• Appeal Does Not Stop Transfers: TikTok is appealing the decision and continues transferring data while enforcement measures are temporarily suspended.
• User Warnings Now Live: TikTok has begun notifying users about the ongoing data transfers following a court requirement.
• Heightened Risk for Minors: Regulators warn that younger users are often unaware of the scale of data collection and associated risks.
• Organizational Accountability: Public and private organizations are urged to reassess TikTok use, conduct DPIAs, and be transparent about privacy risks.

Deep Dive

The Netherlands’ data protection authority has warned users and organizations to think carefully before continuing to use TikTok, after confirming that the platform is still transferring personal data of European users to China despite a joint finding by EU privacy regulators that such transfers are unlawful under the GDPR.

In a statement issued on 16 December, the Autoriteit Persoonsgegevens (AP) said TikTok has begun displaying warnings to users about how their personal data is handled while the company appeals regulatory decisions at EU level. According to the AP, the transfers remain ongoing for now, even though European supervisory authorities have already concluded that they breach EU data protection law.

The issue stems from a coordinated decision involving European privacy regulators, including Ireland’s Data Protection Commission (DPC) and the European Data Protection Board (EDPB), which determined that TikTok’s transfers of EU personal data to China violate the GDPR. While an Irish court has temporarily suspended enforcement measures linked to that decision, the underlying regulatory ruling remains in place.

TikTok has chosen to continue transferring data during its appeal and, following a court requirement, is now informing users directly through an in-app notification. That notification states that TikTok continues to transfer European user data to countries outside the EU, including China, and references the earlier ruling by the Irish DPC within the EDPB framework that found the practice unlawful.

Monique Verdier, Deputy Chair of the AP, said the warning is an important step, but stressed that users need to fully understand the implications. “TikTok collects and uses a lot of personal data, including clicking behavior, location data, contact information and sometimes financial data as well,” Verdier said. She added that minors in particular are often insufficiently aware of how much data is collected and the risks involved.

Verdier also pointed to the broader issue of international data transfers. While EU law gives individuals strong rights and control over their personal data, those protections do not necessarily apply once data is transferred outside the EU. “Outside the EU, such as in China, those rules are different,” she said. “This means that users often have little control over what happens to their data.”

Beyond individual users, the AP framed the issue as a wider societal and governance challenge. The authority said it is examining similar risks across other online services that transfer personal data outside the EU and called on organizations to assess whether continued use of such platforms is responsible.

For individual users, the AP advised carefully reading TikTok’s privacy notice, reviewing app permissions for access to devices and data such as cameras, microphones and location, and deciding whether continued use is acceptable under the circumstances. Users who are uncomfortable with the data transfers are advised to delete the app or deactivate their accounts and to avoid sharing sensitive information.

The guidance is more pointed for organizations, particularly public and semi-public bodies. The AP said organizations should assess the risks, including through a data protection impact assessment, taking into account that regulators have already deemed TikTok’s data transfers unlawful. It also warned that government and public-sector use of TikTok may send the message that the platform can be used without issue, despite unresolved regulatory concerns.

Where organizations choose to continue using TikTok, the AP said they should be transparent with their audiences about that decision and clearly communicate the associated privacy risks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.