We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

Organisations urged to review global data transfers
12 May 2025 data law Print

Organisations urged to review global data transfers

Lawyers at Byrne Wallace Shields (BWS) have urged organisations to review any transfers of personal data to countries outside the EEA (European Economic Area). 

The firm was commenting after the recent decision by the Data Protection Commission (DPC) to fine TikTok €530 million after an inquiry found that the platform’s transfers of European users’ data to China breached EU rules. 

In a note on the firm’s website, its lawyers point out that the decision does not prohibit data transfers to China, while also noting that TikTok intends to appeal. 

“However, as the decision stands, it would be prudent for organisations that transfer personal data to China to review their processes to ensure they have undertaken necessary assessments to safeguard the data as required by law,” the Byrne Wallace Shields lawyers write. 

Safeguards 

They stress that, where any organisation is “transferring” personal data outside the EEA to a third country, either an EU Commission adequacy decision or appropriate safeguards under article 46 of the GDPR must be applied. 

The lawyers add that a “transfer”, for this purpose, includes both direct access and remote access to servers within the EEA from outside the EEA. 

Byrne Wallace Shields cites three common examples where non-EEA transfers arise for its clients:

  • Where contractors are engaged outside the EEA to provide IT or other remote services,
  • Where there are intra-group transfers to non-EEA entities within a group, and
  • During a proposed transaction, where it is necessary to share personal data with acquirers or investors based outside the EEA. 

SCCs 

The firm says that the most commonly used appropriate safeguards are Standard Contractual Clauses (SCCs) approved by the European Commission. 

The main purpose of the SCCs is to bind the data importer in the non-EEA country to apply equivalent standards to the GDPR. 

The Byrne Wallace Shields lawyers note that TikTok had SCCs in place, but the DPC still took issue with the level of protection of personal data provided by Chinese law and practices. 

“Consequently, the decision highlights the importance of identifying whether, in addition to SCCs, supplementary measures are needed to safeguard transferring personal data where risk to that data is identified,” they conclude. 

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data law
Monitor British data rules, commission urged

EDPB welcomes ‘continuing alignment’ on frameworks
data law
Clarity on ‘excessive’ requests for data – WF

Threshold for proving abuse high, AG opinion finds

data law
Data bodies see risks in EU’s GDPR proposals

'Change goes further than recent CJEU case law'

data law
Microsoft faces ICCL data complaint on Gaza

Tech ‘enables mass surveillance of Palestinians’

Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.