TikTok must inform users about data transfers to China: A turning point for digital privacy

The GDPR is built on the principle of transparency. Articles 13 and 14 state that individuals have the right to know who processes their data and where it is transferred. When a company like TikTok (operated by ByteDance) exports data from the European Economic Area (EEA), stricter rules apply.

China is considered an “unsafe third country” under the GDPR. Unlike countries such as Canada or Japan, China does not have an EU adequacy decision. This means its level of data protection is not considered equivalent to EU standards. Authorities therefore require explicit user notification so individuals can decide whether they are willing to accept the risk of potential state access in China.

TikTok collects vast amounts of information to power its “For You” algorithm, including:

• Interaction data: which videos you watch, for how long, and what you skip
• Biometric data: in some regions, facial and voice data for filters and effects
• Device information: IP address, operating system, installed apps, and keystroke patterns
• Location data: coarse GPS data and information derived from Wi-Fi networks

The risk: Chinese law obliges companies to cooperate with state security authorities (National Intelligence Law, 2017). Critics fear that European user profiles could be used for surveillance, influence operations, or social engineering. Even if data is accessed “only” for maintenance by engineers in China, this legally constitutes a data transfer.

The landmark Schrems II ruling by the Court of Justice of the EU fundamentally reshaped international data transfers. It clarified that data protection must “travel with the data.” If data is sent to a third country, an essentially equivalent level of protection must be ensured.

Because China does not guarantee this by law, TikTok must rely on Standard Contractual Clauses (SCCs). These alone are often insufficient and must be supplemented with technical and organizational measures (TOMs), such as strong encryption inaccessible to third-country providers. Transparency toward users is the minimum requirement - without it, any further processing is unlawful.

To address regulatory pressure, TikTok launched “Project Clover,” a security initiative designed specifically for Europe:

• Local data storage: major investments in data centers in Ireland and Norway
• Third-party oversight: a European security firm monitors data flows and access
• Data minimization: access by non-European staff is reduced to an absolute minimum

Despite these measures, the obligation to inform users remains as long as technical interfaces or support structures involving China exist.

Transparency counteracts consumer powerlessness. Clear communication from TikTok offers several benefits:

• Informed consent: decisions based on facts rather than vague assumptions
• Right of access (Art. 15 GDPR): users can request details on which data reached China
• Right to erasure: users who disagree with transfer conditions can request account deletion
• Awareness: the debate strengthens digital literacy and critical thinking about “free” apps

TikTok’s business model relies heavily on personalized advertising. Any restriction on data flows has direct economic consequences:

• Targeting precision: tighter controls may reduce algorithmic efficiency and increase ad wastage
• Compliance costs: advertisers must update privacy notices and assess liability when using TikTok pixels or SDKs
• Brand image: data protection scandals affect advertisers as well - brand safety now includes legal data security

The TikTok case is closely tied to the EU’s push for digital sovereignty. Laws such as the Digital Services Act (DSA) and Digital Markets Act (DMA) aim to limit Big Tech power and enforce European standards globally.

Data protection authorities increasingly act as political players, challenging not just compliance gaps but entire data-driven business models. The message is clear: anyone operating in the EU market must comply with EU rules - regardless of headquarters location.

For users

• Review privacy settings and disable personalized ads where possible
• Minimize app permissions (e.g. contacts, precise location)
• Avoid third-party logins to reduce cross-platform tracking
• Exercise your right of access under Art. 15 GDPR

For companies & marketers

• Audit where TikTok pixels or SDKs are deployed
• Update privacy policies with clear third-country transfer disclosures
• Evaluate alternative marketing channels with lower compliance risk
• Seek legal review of social media strategies

The new information requirement for TikTok is a victory for European consumer protection. It forces one of the most secretive companies in the world to be more open. But transparency alone does not solve the problem - it is merely the tool that enables us to take responsibility.

For companies, this development means that “privacy by design” can no longer be a marketing buzzword, but rather determines their future viability. Those who invest in data protection-compliant processes today are building the trust that will be the most important currency in competition tomorrow.

Why is China such a problematic destination for data?

There is a lack of independent judicial oversight of state surveillance measures. European citizens have little legal recourse in China if their data is misused.

Does the duty to provide information only apply to new users?

No, it applies to everyone. Existing customers must be proactively informed about updates to the privacy policy, usually through in-app notifications or emails.

Can I completely prohibit data transfer to China?

As an individual user, this is difficult because certain technical processes at TikTok are globally networked. If you object to the terms and conditions, the only option is often to delete your account.

What happens if TikTok does not comply with the requirements?

Fines of up to 4% of global annual revenue may be imposed. In extreme cases, authorities could also order a halt to data transfers, which would effectively ban the app in the EU.

Are other apps such as Instagram or WhatsApp more secure?

US companies are also under criticism because of the Cloud Act. The difference, however, is that there is a (albeit controversial) agreement between the EU and the US in the form of the “Data Privacy Framework,” which is completely lacking in China.