Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Back To Home
cybersecurity

Introduction
The Data Protection Commissioners of Ireland issued a ruling against TikTok in 2025, and it was heavily fined for violating GDPR regulations for transferring EEA User Data to China. This ruling may have significant implications for India when processing EEA personal User Data. After the Schrems II judgment, this decision comes as the most crucial decision in the EU’s enforcement framework, and this signals that the regulatory oversight is only going to get stricter in cross-border data transfers of EU users. Therefore, it is pertinent for Indian organizations processing EU users to understand the compliance measures as stipulated under GDPR and how the supervisory authorities expect them to be implemented in practice.
Compliance Lessons for Indian Organizations:
Ensuring Compliance with Chapter V of the GDPR: Indian organisations that process personal data of individuals located in the European Union must ensure compliance with Chapter V of the GDPR, which governs transfers of personal data to countries outside the EU and EEA. Since India does not currently benefit from an adequacy decision under Article 45, organisations cannot assume that EU personal data can be transferred to India without additional safeguards.
Strengthening Transfer Impact Assessments and Looking Beyond SCCs: TikTok, while defending itself, argued that it did have separate Standard Contractual Clauses (SCCs) in place, which were effective and equivalent in terms of protection of user data to GDPR. However, the ruling clearly established that standalone SCCs were not sufficient, and it was equally important to check whether the Chinese law had equivalent protection standards for the EU users. Therefore, Indian organizations, while conducting Transfer Impact Assessment as per GDPR, must go beyond a mere elaborate description of the local laws.
Organisations must undertake a detailed assessment of how local laws may affect the protection of personal data, particularly where government authorities may have powers to access such data. This assessment should also consider whether the legal safeguards enshrined under the DPDP Act and other laws in the Indian jurisdiction meet the standards reflected in the European Essential Guarantees. Then, these findings should enable the organisation to demonstrate, with supporting evidence, that the transferred data will continue to receive a level of protection that is equivalent to that guaranteed under GDPR.
Supplementary measures undertaken must address local law risks: The TikTok decision makes it clear that when the local law is not on par with the EU Law, supplementary measures must be taken. These measures These measures cannot be limited to general cybersecurity safeguards such as encryption, access controls, or internal security policies. While these measures may protect personal data from hackers, breaches, or unauthorised access, they may not be sufficient where the laws of the destination country permit government authorities to access such data. Therefore, organizations must ensure that their supplementary measures are capable of addressing not only technical security risks but also the risks arising from the legal framework of the Indian jurisdiction.
Adopting a risk-based approach: The decision also shows the importance of assessing international data transfers based on the level of risk involved. While determining the amount of the fine, the DPC considered factors such as the volume of the transfers, the number of individuals affected, the types of personal data involved, and the role those transfers played in TikTok's services. These factors are enshrined under Article 83(2) of GDPR. Indian organisations can use a similar approach while conducting Transfer Impact Assessment. Transfers involving large volumes of personal data, sensitive categories of information, or a significant number of individuals are likely to present greater risks and therefore require closer scrutiny. In such cases, organisations should carry out more detailed assessments and implement stronger safeguards than they would for transfers involving limited or less sensitive data.
When Access Itself Becomes a Transfer: Most organisations focus on where data is stored when thinking about cross-border transfers, but the TikTok ruling made it clear that location of storage is only part of the picture. If someone sitting in another country can log in and access that data remotely, that access itself can count as an international transfer under GDPR, regardless of where the servers physically sit. What this means practically is that organisations cannot limit their compliance review to data flows in the traditional sense. They need to map out who can access personal data, from where, and under what legal framework that access operates. These access arrangements need to be considered in Transfer Impact Assessments and covered by appropriate safeguards, just as a direct transfer would be.
Risks Associated with Onward Transfers to China
Where personal data received from the European Union is transferred to an entity located in China, the transfer may attract the same concerns that arose in the TikTok case. Indian organisations receiving EU personal data should also examine whether that data is subsequently shared with, or made accessible to, third-party processors located outside India. Compliance assessments should consider the entire data flow, including onward transfers, and ensure that the level of protection afforded to personal data is not reduced as the data moves through the processing chain. Accordingly, where an Indian organisation engages overseas processors or service providers, it may be necessary to evaluate the implications of those onward transfers and ensure that appropriate safeguards remain intact throughout this process.
Broader Implications for India's Data Protection Framework
Beyond organisational compliance, the decision is also relevant from an Indian legal perspective. One of the key issues in the TikTok case was whether the legal framework of the destination country offered safeguards comparable to those available under EU law. The DPC's assessment was not limited to TikTok's internal policies and contractual arrangements, but it also examined the broader legal environment, including the possibility of access to personal data by public authorities in China. Since India does not benefit from an adequacy decision under Article 45 of the GDPR, transfers of personal data to India generally rely on mechanisms such as Standard Contractual Clauses. However, as highlighted by the Schrems II judgment and reinforced in TikTok’s decision, the use of such mechanisms alone is not sufficient. European regulatory organisations may also be required to assess whether provisions of Indian law, including those relating to access to data by public authorities, could affect the level of protection afforded to personal data. As a result, Indian organisations may increasingly be expected to provide information regarding their legal and operational environment and, where necessary, implement additional safeguards to support continued transfers of EU personal data.
Conclusion:
European regulators are now looking beyond contracts and internal policies and are actively examining whether the legal environment of the destination country can genuinely protect EU personal data. For Indian organisations, this shift in regulatory stance demands a serious reassessment of how they approach GDPR compliance.
The core takeaway is that Standard Contractual Clauses alone will not hold up if the laws of the destination country work against the very protections those clauses are meant to guarantee. Indian organisations must go deeper by conducting Transfer Impact Assessments that actually reflect the realities of Indian law, including government access powers, and measuring those realities against European Essential Guarantees.
Supplementary measures must be drafted in such a way that they address both technical and domestic legal risks. Every transfer in the whole process must be carefully assessed, and an equal level of safeguards must be undertaken for every such transfer, thereby ensuring that compliance measures are intact throughout and avoiding potential future risks.
Want to stay ahead?
Reach out to the experts at tsaaro.com today.
Talk to a Privacy Expert
Get a free 1:1 session on AI compliance, DPDPA readiness, or incident response planning.
Related articles











