TikTok Decision Shows Growing Cooperation Among DPAs, Irish DPC Says
Irish Data Protection Commission Deputy Commissioner Cian O'Brien sees a "welcome trend" toward greater agreement among EU data protection authorities (DPAs) in enforcement cases. He spoke Friday during an IAPP webinar about the office's decision against TikTok.
Sign up for a free preview to unlock the rest of this article
Last week, the DPC said it fined the social media platform $600 million and ordered that it suspend data transfers to China (see 2505020006). On Friday, O'Brien fleshed out the order, which hasn't been made public.
It was the fifth DPC decision that made it through the cooperative process of review by other DPAs without objections, O'Brien noted.
The General Data Protection Regulation (GDPR) became effective in 2018. At the time, it was a novel law with several issues unresolved. Since then, there have been many enforcement decisions, providing more certainty in the law, making it easier for DPAs to agree on issues, O'Brien said.
Even when there are objections to a DPA's decision in an enforcement action, that shouldn't be considered a failure, O'Brien said. The regulation has unresolved issues that might require the European Data Protection Board to make a final decision.
The DPC's TikTok ruling differed in many respects from some of the big data protection decisions coming out of Europe, O'Brien said. For example, it involved remote access to Europeans' data from China rather than storage of their data on a server there. Remote access to data in a third country, one that hasn't received an adequacy decision from the EC, also falls under the GDPR, he noted.
Since the EC has found China's data protections unable to safeguard Europeans' data at an equivalent level to the EU's, TikTok transfers were made using standard contractual clauses (SCCs), O'Brien said.
It's up to an organization using that mechanism to verify and guarantee essential equivalence of protection before making any transfers. If it doesn't, those transfers are unlawful, O'Brien noted.
TikTok acknowledged that Chinese laws precluded a finding of essential equivalence, but argued that, in light of its practices, it offered essential equivalence, O'Brien said. The company implemented SCCs along with various supplemental organizational, technical and contractual measures, but its assessment of Chinese law in the context of its transfers was flawed, he said.
First, although the company assessed how Chinese law diverged from EU law at a high level, it was required to do so in the specific context of its own data transfers that resulted in EU data being shared in China, O'Brien said.
In addition, the platform contended that Chinese law had no extraterritorial effect because the data wasn't stored on servers there. But the problem was the remote access to that information, said O'Brien. TikTok also failed to tell users that the processing of their data would involve remote access by people in China, raising transparency concerns.
O'Brien was asked how smaller companies wanting to use SCCs could do so legally, acknowledging the failure of a large business like TikTok to get it right. O'Brien said smaller firms must focus on the specifics of their data transfers. If a company's assessment is that it can't verify and guarantee essential equivalence, it should look for alternative mechanisms and not transfer data until it can meet that standard.