Sveriges mest populära poddar
The Privacy Partnership Podcast with Robert Bateman
Teknologi

Data transfers at the Irish courts: A partial win for TikTok

6 min25 juni 2026

The Irish High Court has just delivered a massive judgment in TikTok’s appeal against the Data Protection Commission (DPC). The court upheld a staggering €530 million fine—but surprisingly tore up the regulator’s order to suspend TikTok's data transfers to China. Who actually won this case, and what does it mean for the future of international data flows?

In this episode of the Privacy Partnership Podcast, Robert Bateman unpacks Mr Justice Rory Mulcahy’s highly technical ruling. We dive into the mechanics of remote access, the absolute floor for GDPR negligence, why catch-all phrases in privacy policies are no longer acceptable, and what happens when a regulator fails to "show its working" when assessing complex technical mitigations like TikTok's Project Clover.

In this episode, we cover:



The Mechanics of Remote Access: Why TikTok’s data localisation defence failed, and how data temporarily loaded into the RAM of an engineer's laptop in Beijing constitutes processing in China.

Article 46 and Accountability: How TikTok’s failure to assess the specific technical risks of local caching in its Transfer Impact Assessments (TIAs) led to a massive infringement.

Transparency and Article 13: Why the DPC fined TikTok €45 million simply for failing to explicitly name China in its 2021 privacy policy.

The New Standard for Negligence: Why relying on expensive external counsel doesn't shield you from liability, and why the GDPR negligence threshold is currently "sitting on the floor."

Fair Procedures and Project Clover: Why the High Court vacated the DPC’s suspension order, ruling that the regulator unlawfully ignored late expert evidence and failed to adequately explain why TikTok's new secure European data enclave was technically ineffective.

Key Takeaways for Privacy Professionals:



TIAs must reflect technical reality: Regulators are looking past server locations and examining endpoint devices. Your transfer assessments must account for temporary local processing, including RAM and CPU caching.

Name names in your privacy notices: Boilerplate language about "third countries" or relying on SCCs/adequacy without specifying the actual destination countries is a major compliance risk.

Regulators must justify technical rejections: While courts will defer to a regulator's technical expertise, Data Protection Authorities must provide detailed reasoning when rejecting a controller's supplementary measures.

Fler avsnitt av The Privacy Partnership Podcast with Robert Bateman

Visa alla avsnitt av The Privacy Partnership Podcast with Robert Bateman
John Edwards resigns! A look back at his time at the ICO
6 min
Data transfers: How encryption and SCCs failed to save Yango Taxi from a €100 million fine
6 min
AI Act loophole? How one company navigated the ban on workplace emotion recognition
5 min
Regulating the reality of adtech: The ICO’s recommended PECR reforms
5 min
Decoding the AI Act: A first look at the Commission’s "high-risk" draft guidelines
7 min
Get 40% off an ICO fine! The South Staffordshire case and early settlements
5 min
RTM v Bonne Terre: Court of Appeal redraws the line on consent
6 min
What actually counts as 'scientific research'? Here's the EDPB's six-point answer
6 min
'Clarity in action'?! The EDPB's 2025 annual report and litigation battles
6 min
AI in recruitment: ICO highlights poor practices as UK overhauls automated decision-making rules
6 min

The Privacy Partnership Podcast with Robert Bateman med treborjnametab1 finns tillgänglig på flera plattformar. Informationen på denna sida kommer från offentliga podd-flöden.