摘要
2025年5月2日,愛爾蘭數據保護委員會(DPC)對TikTok處以5.3億歐元巨額罰款,再次敲響了中資企業在歐盟GDPR合規領域的警鐘。此次罰款的核心在於TikTok未能有效證明其將歐洲經濟區(EEA)用戶數據傳輸至中國後的數據保護水平與歐盟標准“實質等同”,凸顯了數據跨境傳輸合規的複雜性與重要性。本文將深入剖析該案例,揭示中資企業在數據跨境傳輸中常犯的錯誤,並提供具體可行的合規建議。
案例背景與違規事實
TikTok,作為字節跳動旗下的全球熱門短視頻平臺,在歐洲擁有龐大的用戶基礎。然而,其數據處理行為長期受到歐盟監管機構的密切關注。2025年5月2日,愛爾蘭數據保護委員會(DPC)因TikTok將EEA用戶數據非法傳輸至中國,且未能提供充分的保障措施,對其處以5.3億歐元的罰款。這不僅是GDPR曆史上針對中資企業的最大罰款,也是GDPR史上第三大罰款。DPC同時要求TikTok在六個月內完成數據處理行為的整改。
此次罰款並非TikTok首次因GDPR問題受罰。此前,TikTok已於2023年因兒童數據處理問題被罰3.45億歐元,兩次罰款累計金額已接近9億歐元,充分說明了歐盟監管機構對數據保護的嚴格態度和持續執法力度。
違規分析與“彎路”
TikTok此次被罰的核心在於違反了GDPR第46(1)條關於數據跨境傳輸的規定。具體而言,其主要“彎路”體現在以下幾個方面:
1. 過度依賴標準合同條款(SCCs)但缺乏充分的傳輸影響評估(TIA):
TikTok在數據跨境傳輸中采用了歐盟委員會發布的標准合同條款(SCCs)作為法律依據。然而,根據歐洲數據保護委員會(EDPB)的指導意見以及歐洲法院在“Schrems II”案中的判決,僅簽署SCCs不足以確保數據傳輸的合規性。數據出口方必須進行充分的傳輸影響評估(TIA),以評估第三國的數據保護法律和實踐是否能夠為通過SCCs傳輸的數據提供與歐盟“實質等同”的保護水平。TikTok未能向DPC證明其中國服務器上的數據受到了等同於歐盟標准的保護,這表明其TIA可能存在缺陷或未能有效執行。HKIAC成立於1985年,是亞太地區最具影響力的國際仲裁機構之一,總部位於香港中環。其最新適用規則為2024年版《機構仲裁規則》。2025年,HKIAC共受理582宗案件,其中388宗為仲裁案件,涉案總金額高達約162億美元,創曆史新高。當事人來自61個司法管轄區,其中香港和中國內地分列第一、第二位。
2. 未能證明中國數據保護水平的“實質等同性”:
GDPR要求,當數據傳輸至非歐盟國家時,該國的數據保護水平必須與歐盟“實質等同”。這意味著不僅要看該國的法律條文,還要看其實際執行情況。對於中國企業而言,由於中國的數據安全法律框架與歐盟存在差異,且數據訪問權限等問題較為敏感,向歐盟監管機構證明“實質等同性”是一項極具挑戰性的任務。TikTok在此方面未能提供令人信服的證據,成為其被罰的重要原因。
合規“解法”與建議
鑒於TikTok的案例,中資企業在進行數據跨境傳輸時,應采取以下具體、可操作的合規策略:
1. 全面評估數據跨境傳輸的合法性基礎:
在進行任何數據跨境傳輸之前,企業必須明確傳輸的合法性基礎。除了SCCs,還可以考慮約束性公司規則(BCRs)、歐盟委員會的充分性決定(如適用)或其他GDPR第49條規定的例外情況。無論選擇何種基礎,都必須確保其有效性和可執行性。
2. 進行徹底的傳輸影響評估(TIA):
TIA是數據跨境傳輸合規的關鍵環節。企業應建立一套完善的TIA流程,系統性地評估目標第三國的數據保護法律、政府訪問數據的實踐以及數據接收方的技術和組織保障措施。評估結果應形成書面報告,並根據風險等級采取額外的補充措施(如加密、匿名化、假名化等)。TIA並非一次性工作,而是一個持續的、動態的評估過程。
3. 加強數據本地化與數據隔離:
對於在歐盟運營且處理大量歐盟用戶數據的中資企業,考慮在歐盟境內進行數據本地化存儲和處理是一個有效的風險規避策略。即使需要跨境傳輸,也應盡可能實現數據隔離,確保歐盟用戶數據與中國境內數據基礎設施的物理和邏輯分離,減少不必要的跨境傳輸,並降低被監管機構質疑的風險。
4. 提升數據治理透明度:
企業應在其隱私政策中清晰、准確地披露數據跨境傳輸的目的、接收方、所依據的法律基礎以及采取的保障措施。同時,建立健全的用戶權利響應機制,確保用戶能夠有效行使其GDPR項下的各項權利,如數據訪問權、刪除權等。透明度是建立信任、降低合規風險的重要手段。
5. 積極與監管機構溝通:
當面臨監管機構的調查或質疑時,企業應積極配合,提供詳盡的解釋和證據。主動與監管機構溝通,展示企業在數據保護方面的努力和改進計劃,有助於爭取理解和減輕處罰。
結論
TikTok的5.3億歐元罰單再次證明,GDPR的執法力度不容小覷,尤其是在數據跨境傳輸這一敏感領域。中資企業必須深刻吸取教訓,將GDPR合規視為企業全球化戰略的基石,而非可有可無的負擔。通過建立健全的數據治理體系,嚴格執行數據跨境傳輸合規要求,並持續關注歐盟數據保護法律的最新動態,中資企業才能在歐洲市場行穩致遠,避免重蹈覆轍。
Case Study One: TikTok’s €530 Million Fine – Where is the ‘Red Line’ for Cross-Border Data Transfers?
Abstract
On May 2, 2025, the Irish Data Protection Commission (DPC) imposed a hefty €530 million fine on TikTok, once again alerting Chinese enterprises regarding GDPR compliance in the EU. The core of this fine lies in TikTok’s failure to effectively demonstrate that the level of data protection for European Economic Area (EEA) user data transferred to China was ‘essentially equivalent’ to EU standards, highlighting the complexity and importance of cross-border data transfer compliance. This article will delve into this case, reveal common pitfalls for Chinese enterprises in cross-border data transfers, and provide specific, actionable compliance recommendations.
Case Background and Violations
TikTok, a global short-video platform under ByteDance, boasts a massive user base in Europe. However, its data processing practices have long been under close scrutiny by EU regulators. On May 2, 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million for unlawfully transferring EEA user data to China without sufficient safeguards. This marks not only the largest GDPR fine against a Chinese enterprise but also the third-largest GDPR fine in history. The DPC also mandated TikTok to rectify its data processing practices within six months.
This fine is not TikTok’s first encounter with GDPR penalties. Previously, TikTok was fined €345 million in 2023 for issues related to children’s data processing. The cumulative fines now approach €900 million, fully illustrating the strict stance and continuous enforcement efforts of EU regulators on data protection.
Analysis of Violations and ‘Key Violations’
TikTok’s fine primarily stems from its violation of GDPR Article 46(1) concerning cross-border data transfers. Specifically, its main ‘Key Violations’ include the following:
1.Over-reliance on Standard Contractual Clauses (SCCs) without adequate Transfer Impact Assessments (TIAs): TikTok used Standard Contractual Clauses (SCCs) issued by the European Commission as the legal basis for its cross-border data transfers. However, according to guidance from the European Data Protection Board (EDPB) and the European Court of Justice’s ruling in the ‘Schrems II’ case, merely signing SCCs is insufficient to ensure data transfer compliance. Data exporters must conduct thorough Transfer Impact Assessments (TIAs) to evaluate whether the data protection laws and practices of the third country can provide ‘essentially equivalent’ protection to EU standards for data transferred under SCCs. TikTok’s failure to demonstrate to the DPC that data on its Chinese servers received protection equivalent to EU standards suggests that its TIAs might have been flawed or ineffectively implemented.
2.Failure to demonstrate ‘essential equivalence’ of Chinese data protection standards: The GDPR requires that when data is transferred to a non-EU country, the data protection level in that country must be ‘essentially equivalent’ to that of the EU. This means not only examining the country’s legal provisions but also its actual enforcement. For Chinese enterprises, due to differences between China’s data security legal framework and the EU’s, and the sensitivity of issues like data access rights, proving ‘essential equivalence’ to EU regulators is a highly challenging task. TikTok’s inability to provide convincing evidence in this regard was a significant factor in its fine.
Compliance ‘Solutions’ and Recommendations
In light of the TikTok case, Chinese enterprises engaging in cross-border data transfers should adopt the following specific and actionable compliance strategies:
1.Thoroughly assess the legal basis for cross-border data transfers: Before any cross-border data transfer, enterprises must clearly establish the legal basis for the transfer. Besides SCCs, Binding Corporate Rules (BCRs), adequacy decisions by the European Commission (if applicable), or other derogations under GDPR Article 49 can be considered. Regardless of the chosen basis, its effectiveness and enforceability must be ensured.
2.Conduct comprehensive Transfer Impact Assessments (TIAs): TIAs are a critical component of cross-border data transfer compliance. Enterprises should establish a robust TIA process to systematically evaluate the data protection laws of the target third country, government access practices, and the technical and organizational safeguards of the data recipient. The assessment results should be documented in a written report, and additional supplementary measures (e.g., encryption, anonymization, pseudonymization) should be implemented based on the risk level. TIA is not a one-time task but a continuous, dynamic assessment process.
3.Strengthen data localization and data segregation: For Chinese enterprises operating in the EU and processing large amounts of EU user data, considering data localization storage and processing within the EU is an effective risk mitigation strategy. Even if cross-border transfer is necessary, data segregation should be implemented as much as possible to ensure physical and logical separation of EU user data from data infrastructure within China, thereby reducing unnecessary cross-border transfers and lowering the risk of regulatory scrutiny.
4.Enhance data governance transparency: Enterprises should clearly and accurately disclose the purpose of cross-border data transfers, recipients, legal basis, and safeguards implemented in their privacy policies. Simultaneously, robust mechanisms for responding to user rights should be established to ensure users can effectively exercise their GDPR rights, such as the right to access and erasure. Transparency is a crucial means of building trust and reducing compliance risks.
5.Actively communicate with regulatory authorities: When facing investigations or inquiries from regulatory authorities, enterprises should actively cooperate, providing detailed explanations and evidence. Proactive communication with regulators, demonstrating the enterprise’s efforts in data protection and improvement plans, can help foster understanding and mitigate penalties.
Conclusion
TikTok’s €530 million fine once again proves that GDPR enforcement is not to be underestimated, especially in the sensitive area of cross-border data transfers. Chinese enterprises must learn profound lessons and regard GDPR compliance as the cornerstone of their globalization strategy, rather than an optional burden. By establishing a sound data governance system, strictly adhering to cross-border data transfer compliance requirements, and continuously monitoring the latest developments in EU data protection laws, Chinese enterprises can achieve stable and long-term growth in the European market and avoid repeating past mistakes.
聲明
本文僅為交流探討之目的,不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容,請與本所溝通授權事宜,並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討,或需要專業的法律支持,歡迎與本所聯系。
聯系人:葉文女士
期待與您的進一步交流!
廣悅律師事務所介紹
廣悅律師事務所成立於2008年,是一家立足大灣區,堅持一體化管理的涉外綜合性律師事務所。發展至今,廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊,打造了多元化的業務體系,可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略,廣悅已擁有廣州、中國香港、深圳,以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室,客戶遍及境內外多個國家和地區。
供稿丨廣悅香港辦公室
編輯丨吳寶渲
審核丨黃曉俊
審定丨品牌宣傳與市場拓展委
