当地时间2025年5月2日,TikTok(中国科技企业字节跳动旗下子公司,欧洲总部设于爱尔兰)因数据传输合法性问题接受爱尔兰数据保护委员会(DPC)调查后,被处以5.3亿欧元(约合43.66亿元人民币)的行政罚款。这并非TikTok首次受到DPC的处罚。2023年,TikTok就曾因违反欧盟《通用数据保护条例》(GDPR)中关于处理儿童个人数据的隐私法(默认公开账户设置、年龄验证问题),被罚款3.45亿欧元(约合28.42亿元人民币)。 On May 2, 2025 (local time), TikTok—a subsidiary of China-based technology conglomerate ByteDance, operating its European headquarters in Ireland—was levied an administrative fine of €530 million (approximately RMB 4.366 billion) by the Irish Data Protection Commission (DPC) following an investigation into non-compliant cross-border data transfers under the EU General Data Protection Regulation (GDPR). This marks the second enforcement action against TikTok by the DPC. Previously, in September 2023, the platform was fined €345 million (RMB 2.842 billion) for systemic breaches of GDPR obligations pertaining to the processing of minors’ personal data, specifically the failure to implement age-appropriate design standards, default public profile configurations, and inadequate age verification.
前言: Introduction: 近年来,随着中国企业出海进程的加快,越来越多的互联网平台、制造企业和人工智能公司加速全球化业务布局。与此同时,数据跨境传输作为个人信息保护面临的核心场景之一,正受到各国监管机构日益严格的审查。这标志着企业数据合规已全面进入“强监管时代”。特别是在欧盟《通用数据保护条例》GDPR、美国加州《消费者隐私法案》(CCPA)、中国《个人信息保护法》(PIPL)等重要法规不断完善的背景下,数据跨境传输不仅是企业数字化运营的必要环节,也逐渐成为全球监管博弈的焦点议题之一。对于出海企业而言,若未能精准识别目标国家数据法规的要求,或缺乏制度衔接能力,不仅可能面临高额罚款风险(如GDPR下最高可罚款可达全球年营业额的4%),还可能因数据治理缺陷被界定为“国家安全风险”,遭遇到业务封锁、上市受限等连锁反应。 In recent years, with the accelerating trend of Chinese enterprises expanding globally, an increasing number of internet platforms, manufacturing firms, and artificial intelligence (AI) companies have been rapidly advancing their international business footprints. Meanwhile, cross-border data transfers—as a core scenario in the context of personal information protection—are facing intensifying scrutiny from regulators worldwide. This shift marks the beginning of a new era of “strict data compliance” for businesses.In particular, under the increasingly mature regulatory frameworks such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and China’s Personal Information Protection Law (PIPL), cross-border data flows have evolved from a technical necessity of digital operations into a focal point of global regulatory competition.For outbound Chinese enterprises, failure to precisely identify the applicable data governance obligations of target jurisdictions, or the absence of institutional mechanisms for legal alignment, may expose them to considerable risks—including hefty fines (e.g., up to 4% of global annual revenue under the GDPR), reputational damage, or even being classified as a “national security threat,” leading to market access restrictions, platform bans, or barriers to public listing. 为助力中国出海企业穿透监管复杂性、评估合规风险并合理制定应对策略。我们将重点比较主要国家和地区在“数据跨境传输”场景下的个人信息保护监管制度,解析企业在多法域监管下的合规挑战。 To address these challenges, this paper conducts a comparative analysis of cross-border data protection frameworks across key jurisdictions, assesses compliance risks, and proposes actionable strategies to mitigate regulatory exposure for Chinese enterprises operating globally.
1. 主要国家和地区数据保护监管框架比较/Comparison of Major Jurisdictions’ Data Protection Regulatory Frameworks 1.1 欧盟《通用数据保护条例》(GDPR)制度要点/ Overview of the EU General Data Protection Regulation (GDPR) 欧盟自2018年5月25日起正式实施《通用数据保护条例》(General Data Protection Regulation,简称GDPR),是全球最具影响力、最具系统性的个人信息保护法之一,不仅适用于欧盟境内企业,还覆盖境外处理欧盟居民数据或监控其行为的实体(如海外电商向欧盟用户销售)。 The General Data Protection Regulation (GDPR)—enforced uniformly across the European Union (EU) since 25 May 2018—is widely recognized as the most rigorous and influential data protection regime globally. Its extraterritorial scope applies not only to entities established within the EU but also to non-EU organizations processing personal data of EU residents or monitoring their behaviour (e.g., offshore e-commerce platforms targeting EU consumers). GDPR确立了个人数据处理的六大基本原则:合法性、公正性与透明性、目的限制、数据最小化、准确性、存储期限限制、完整性与保密性,并要求数据控制者在处理数据前即进行责任分配与风险预判。 The GDPR establishes six fundamental principles for personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. Data controllers shall allocate accountability and conduct pre-risk assessments prior to initiating processing activities. GDPR赋予数据主体一系列权利,包括查阅、更正、删除、限制处理、反对处理、数据可携带及对自动化决策的反对权。其跨境数据传输规定要求,只有在目的地国家通过欧盟“充分性认定”(如日本),或通过标准合同条款(SCCs)、有约束力的公司规则(BCRs)等保障措施时,方可传输数据。企业需要遵守一系列合规义务,如进行数据保护影响评估(DPIA)、指定数据保护官(DPO)和记录处理活动。GDPR还要求在发生数据泄露时,企业必须在72小时内向监管机构报告高风险事件,并视情况通知数据主体。违规企业最高可面临2000万欧元或全球营业额4%的罚款。各成员国的数据保护机构负责监管及执法,欧洲数据保护委员会(EDPB)负责协调。 The GDPR grants data subjects a series of rights, including the right to access, rectify, delete, restrict processing, object to processing, data portability, and the right to object to automated decision-making. Its cross-border data transfer provisions require that such transfers may occur only if the destination country has obtained an EU “adequacy decision” (e.g., Japan) or implements safeguards such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).Enterprises must comply with a range of obligations, including conducting Data Protection Impact Assessments (DPIAs), appointing a Data Protection Officer (DPO), and maintaining records of processing activities. The GDPR further mandates that in the event of a data breach, enterprises must report high-risk incidents to supervisory authorities within 72 hours and notify affected data subjects as appropriate. Violators may face administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher. National data protection authorities are responsible for enforcement, coordinated by the European Data Protection Board (EDPB). 总体而言,GDPR强调数据主体的权利、严控企业责任与跨境数据流,已成为全球隐私保护的标杆。 In summary, the GDPR has become the global benchmark for privacy protection by strengthening data subject rights, imposing rigorous corporate accountability, and establishing stringent standards for cross-border data flows. 1.2 美国(CCPA等)制度要点/Key Features of the U.S. Privacy Framework (CCPA and Related Laws) 美国数据隐私保护采取“联邦分行业监管+州综合立法”的双轨模式,以加州《消费者隐私法案》(CCPA)及其修订案《加州隐私权法案》(CPRA)为核心标杆,形成“加州先行、各州差异化跟进”的分散格局。联邦层面通过《健康保险流通与责任法案》(HIPAA)、《儿童在线隐私保护法》(COPPA)等行业立法保护医疗、儿童等特定类型数据,而CCPA/CPRA等州法则广泛赋予消费者知情权、删除权、数据可携权、拒绝数据出售及共享权,并强制企业履行隐私政策披露、数据最小化与敏感信息(如生物识别、精确地理位置、种族、性取向等)额外保护义务。CPRA创新性设立加州隐私保护署(CPPA)作为专属监管机构,强化执法独立性与专业性。 The United States adopts a dual-track model of data privacy regulation, combining federal sector-specific oversight with comprehensive state-level legislation. The California Consumer Privacy Act (CCPA) and its amended version, the California Privacy Rights Act (CPRA), serve as the core benchmarks, establishing a decentralized pattern of “California taking the lead, followed by divergent approaches across other states.” At the federal level, industry-specific legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA) protects specific categories of data, including health and children’s data. In contrast, state laws such as the CCPA and CPRA grant consumers broad rights—including the right to know, the right to delete, the right to data portability, and the right to opt out of the sale or sharing of personal data—and impose corporate obligations concerning privacy policy disclosures, data minimization, and enhanced protection of sensitive personal information (such as biometric data, precise geolocation, race, and sexual orientation). The CPRA also innovatively establishes the California Privacy Protection Agency (CPPA) as an independent supervisory body, thereby strengthening enforcement independence and regulatory professionalism. 尽管拟议的《美国数据隐私与保护法案》(ADPPA)试图建立全国统一框架,但因州法优先权与敏感数据范围等争议,短期内更可能形成“联邦底线标准+州法特色补充”的动态协调体系。 While the proposed American Data Privacy and Protection Act (ADPPA) seeks to unify federal standards, controversies over state law preemption and sensitive data definitions make a "federal floor + state-specific enhancements" adaptive framework more likely in the near term. 1.3 中国大陆(PIPL)制度要点/Key Features of China’s Personal Information Protection Framework (PIPL) 中国《个人信息保护法》(PIPL)自2021年11月1日起施行,与《网络安全法》《数据安全法》共同构成国家数据治理的核心法律框架,确立了对境内及境外处理中国境内自然人个人信息的域外适用规则(如境外企业为中国用户提供社交媒体服务)。 China's Personal Information Protection Law (PIPL), which came into effect on 1 November 2021, forms the core legal framework for national data governance together with the Cybersecurity Law and Data Security Law. It establishes extraterritorial application rules that govern both domestic processing of personal information and overseas processing of personal information of natural persons within China (for example, foreign enterprises providing social media services to Chinese users). PIPL以“告知—同意”为合法性基础,要求处理个人信息须取得主体明示授权,法定例外情形限于履行合同、应对突发公共卫生事件等特定场景;对生物识别、宗教信仰、医疗健康、金融账户、行踪轨迹及不满十四周岁未成年人信息等敏感数据,需单独取得充分同意并实施严格保护(如加密、去标识化)。 The PIPL takes "notice and consent" as the legal basis, requiring explicit authorization from data subjects for processing personal information. Statutory exceptions are limited to specific scenarios such as contract performance or responding to public health emergencies. For sensitive data including biometric data, religious beliefs, medical health information, financial accounts, location tracking, and information of minors under 14 years of age, separate full consent must be obtained and strict protection measures (such as encryption and de-identification) must be implemented. 个人享有查阅、复制、更正、删除、撤回同意及限制处理权,但未明确赋予GDPR式的数据可携带权(跨平台转移)。处理者需履行指定个人信息保护负责人(适用于处理超100万人信息或敏感数据的企业)、开展个人信息保护影响评估(PIA)、建立数据分类管理制度及定期合规审查等义务,重要互联网平台还需设立独立监督机构并定期发布社会责任报告。 Individuals are granted the rights to access, copy, correct, delete, withdraw consent, and restrict processing, but the PIPL does not explicitly provide for GDPR-style data portability rights (cross-platform transfers). Processors shall fulfill obligations including: appointing a personal information protection officer (applicable to enterprises processing information of over 1 million individuals or sensitive data), conducting Personal Information Protection Impact Assessments (PIA), establishing data classification management systems, and performing regular compliance reviews. Major internet platforms must additionally establish independent supervisory bodies and publish regular social responsibility reports. 跨境数据传输须满足以下条件之一:通过国家网信部门安全评估(适用于关键信息基础设施运营者或处理超100万人信息的企业)、签署网信办制定的《个人信息出境标准合同办法》细化条款、或通过专业机构认证。同时,关键信息基础设施运营者收集的个人信息须境内存储,确需出境的须通过安全评估。数据接收方需承诺达到中国保护标准,否则可终止传输。 Cross-border data transfers must satisfy at least one of the following conditions: passing a security assessment organized by the national cyberspace administration authority (applicable to critical information infrastructure operators or enterprises processing personal information of over 1 million individuals), signing the detailed clauses of the "Measures on Standard Contracts for Outbound Transfer of Personal Information" formulated by the cyberspace administration, or obtaining certification from a professional institution. At the same time, critical information infrastructure operators shall store collected personal information domestically, and outbound transfers must pass a security assessment if strictly necessary. Data recipients must commit to meeting Chinese protection standards; otherwise, the transfer may be terminated. 执法由国家互联网信息办公室统筹,行业主管部门协同监管。对违法处理个人信息行为,可责令整改、暂停业务、没收违法所得,并处最高5000万元或上一年度营业额5%的罚款;发生可能危害个人权益的数据泄露事件时,需立即向监管部门报告并通知受影响主体。PIPL在借鉴GDPR个人权利框架的基础上,强化数据本地化、安全评估等国家安全要求,允许为公共利益(如疫情防控)豁免同意规则,并加重大型平台主体责任,形成“个人权益保障、企业合规治理与数据主权维护”三位一体的中国特色数据治理体系。 Enforcement is led by the Cyberspace Administration of China, with collaborative supervision by industry authorities. For illegal personal information processing activities, the following measures may be imposed: ordering rectification, suspending business operations, confiscating illegal gains, and imposing fines of up to 50 million RMB or 5% of the previous year’s revenue. In the event of a data breach that may harm personal rights and interests, immediate reporting to regulatory authorities and notification of affected parties is required. The PIPL draws on the GDPR’s individual rights framework while strengthening national security requirements such as data localization and security assessments, allows exemptions from consent rules for public interests (e.g., epidemic prevention and control), and imposes heightened responsibilities on large-scale platforms. This forms a Chinese-characterized data governance system that integrates "protection of personal rights, corporate compliance governance, and maintenance of data sovereignty" into a tripartite framework. (图表)(欧盟(GDPR)、美国(CCPA等)、中国大陆(PIPL)制度比较) 从上述比较可以看出,欧盟、美国和中国大陆虽均已建立起较为完善的个人信息保护框架。三大法域在合法性基础、数据主体权利、跨境机制及处罚强度上呈现出共性与差异并存的格局,企业在布局全球业务时必须据此制定针对性的合规路径。 Comparison of Data Protection Frameworks: EU (GDPR), U.S. (CCPA & State Laws), and Chinese mainland(PIPL) From the above comparison, it is evident that the EU, the U.S., and Chinese mainland have each established relatively comprehensive personal information protection frameworks. These three jurisdictions demonstrate coexisting commonalities and divergences in legal bases, data subject rights, cross-border mechanisms, and penalty severity, necessitating tailored compliance strategies for global business operations.
2. GDPR、CCPA与PIPL数据监管视角下的合规挑战/Compliance Challenges Under the GDPR, CCPA, and PIPL Data Regulatory Frameworks 以TikTok在欧盟连续被罚为例,数据跨境及处理不当所带来的合规代价,正成为企业全球化发展的重大障碍。以下将从数据采集、隐私披露、跨境传输三个层面,解析企业在多法域监管下的合规挑战。 A Case Study of TikTok’s Successive Fines in the EU: How Improper Cross-Border Data Handling Creates Barriers to Global ExpansionThis section analyzes corporate compliance challenges under multi-jurisdictional regulations through three dimensions: data collection, privacy disclosure, and cross-border transfers. 2.1 数据采集与处理中的法律风险/ Legal Risks in Data Collection and Processing 个人信息处理活动的首要环节是采集。然而,许多企业在进入海外市场初期,常常延用国内的数据处理流程,忽视了当地法律对“合法性基础”的明确要求。 The primary stage of personal information processing is data collection. However, many enterprises entering foreign markets often replicate domestic data processing workflows, neglecting jurisdictional requirements for a “lawful basis” under local laws. 例如,根据GDPR和PIPL的规定,企业需基于“合法性条件”处理个人数据,其中“取得明确同意”是最为常见的基础。若企业在产品上线前未设置完善的用户授权流程、隐私政策未明确指明数据用途、采集范围过度,即便技术手段先进,也可能因“缺乏合法性基础”而构成违规。 For example, both the GDPR and PIPL mandate that personal data processing must rely on “lawful conditions”, with “explicit consent” being the most common basis. If an enterprise fails to establish a robust user authorization process before product launch, omits clear specification of data purposes in privacy policies, or collects excessive data ranges, such practices may constitute violations due to “lack of lawful basis”—even with advanced technical capabilities. 此外,针对敏感个人信息(如生物特征、位置信息、健康数据)或儿童信息的处理,更应遵循严格的合规路径。部分企业在开展人脸识别、精准推荐等功能开发时,未对用户类型、用途限制、储存期限等要素作充分披露与控制,往往成为监管机构重点查处对象。 Furthermore, processing sensitive personal information (e.g., biometrics, location data, health information) or children’s data requires stricter compliance pathways. Enterprises developing facial recognition or precision recommendation functionalities often face heightened regulatory scrutiny if they inadequately disclose and control critical factors such as user categories, usage limitations, and storage periods, making them prime targets for enforcement actions. 2.2 隐私政策与用户告知义务缺失/ Deficiencies in Privacy Policies and User Notification Obligations 隐私政策是企业对用户履行“告知义务”的法定路径,其内容必须简明、准确、透明,尤其应说明数据的采集目的、使用方式、共享对象、存储时间以及用户的权利。然而,许多企业存在以下问题: A privacy policy serves as the statutory instrument for enterprises to fulfill their "notification obligations" to users. Its content must be concise, accurate, and transparent, specifically clarifying the purposes of data collection, processing methods, categories of data recipients, retention periods, and user rights. However, many enterprises exhibit the following deficiencies: 一是隐私政策语言与本地法规不符。例如,中国企业在海外上线App时往往只提供英文隐私政策,未适配当地语言,违反了GDPR要求“以数据主体理解的语言进行披露”的要求。 First, privacy policy languages may conflict with local regulations. For instance, Chinese enterprises launching apps overseas often provide privacy policies exclusively in English without local language adaptation, thereby violating the GDPR requirement that disclosures must be made "in a language understandable to data subjects". 二是信息披露不完整或滞后。部分企业在更新App功能后未同步更新隐私政策,甚至存在长期无隐私政策的现象,容易被视为缺乏“透明原则”的遵守。 Second, information disclosures are frequently incomplete or outdated. Some enterprises fail to update privacy policies following app functional upgrades, or even operate without any privacy policy for extended periods, which may constitute non-compliance with the "principle of transparency". 三是数据主体权利响应机制缺失。GDPR要求企业在收到用户请求后30天内完成访问、更正或删除数据等操作,若未建立对应流程与职责分工,将无法履行这一义务。 Third, absence of data subject rights response mechanisms. The GDPR requires enterprises to complete operations such as accessing, correcting, or deleting data within 30 days upon receiving user requests. Failure to establish corresponding procedures and division of responsibilities will render enterprises unable to fulfill this obligation. 2.3 数据跨境传输中的合规难点/Compliance Challenges in Cross-Border Data Transfers 跨境数据流动是企业全球运营的基础,但各国在数据出境问题上的监管逻辑差异,导致跨境传输成为最具挑战的风险点之一。 Cross-border data flows are fundamental to the global operations of enterprises; however, divergent regulatory logics across jurisdictions make cross-border transfers one of the most challenging compliance risks. 在GDPR体系下,除非企业所在国家已获得“适当性认定”,否则跨境传输需借助标准合同条款(SCCs)、绑定企业规则(BCRs)等方式,并承诺提供与欧盟同等水平的数据保护。而根据中国《个人信息保护法》,若向境外提供个人信息,企业应开展个人信息出境安全评估或签署标准合同,并需履行报备义务。2023年以来,多家中资跨国平台已因未履行出境评估或合同备案义务而被监管关注。 Under the GDPR framework, unless the destination country has obtained an "adequacy decision", cross-border transfers must rely on mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), accompanied by a commitment to provide data protection equivalent to the EU standard. Under China’s Personal Information Protection Law (PIPL), enterprises transferring personal information overseas must conduct security assessments for outbound data transfers or sign standard contracts, while fulfilling filing obligations. Since 2023, multiple Chinese multinational platforms have faced regulatory scrutiny for failing to complete these assessments or file required contracts. 部分企业在海外设立数据中心后,仍将部分关键处理活动留在境内或其他第三国处理,未就数据全生命周期流动路径作出全景式设计,容易在跨境过程中暴露数据脱敏不足、路径不明、接收方控制弱等问题。 Some enterprises that establish overseas data centers continue to process critical data domestically or in third countries, lacking a holistic design for the entire lifecycle of cross-border data flows. This approach risks exposing issues such as inadequate data anonymization, ambiguous transfer routes, and insufficient control over foreign recipients. 综上所述,从数据采集的合法性基础、隐私政策的披露义务,到跨境传输机制的合规路径,企业在“出海”过程中面临的合规挑战贯穿数据全生命周期。 In summary, compliance challenges faced by enterprises in global expansion span the entire data lifecycle — from the lawful basis for data collection and disclosure obligations under privacy policies, to the compliant mechanisms for cross-border transfers.
总结 Summary 在数字经济与全球监管深度演化的背景下,若企业未依照GDPR要求完成SCCs或BCRs等合法传输机制,或违反PIPL下《标准合同办法》的备案义务,不仅可能面临高额罚款,还可能遭遇业务封锁、市场准入受限等一系列风险。为此,企业不仅要提升合规意识,更需具备高度的制度敏感性与流程适应能力,才能在多法域交织的复杂环境中实现稳健合规运营。 Against the backdrop of evolving digital economies and global regulatory frameworks, enterprises that fail to implement GDPR-compliant transfer mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), or violate the filing obligations under China’s "Standard Contract Measures" under the PIPL, risk not only substantial fines but also operational disruptions such as service suspension and market access restrictions. To navigate this complexity, enterprises must not only strengthen compliance awareness but also cultivate institutional sensitivity and process adaptability to achieve robust compliance operations within a multi-jurisdictional regulatory landscape.
文 章 作 者 周志微 中岛律师事务所高级合伙人 TMT&数据合规专委会成员 福建农林大学 法学学士 vivianzhou@ilandlaw.com 执业领域:企业合规、数据合规和个人信息保护、商事争议 工作语言:中文、英文、粤语
电话:(021)80379999
邮箱:liubin@ilandlaw.com
地址:上海市浦东新区银城中路68号时代金融中心27层
加入我们:liubin@ilandlaw.com
中岛微信公众号
