European privacy watchdog noyb has filed six General Data Protection Regulation (GDPR) complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for allegedly unlawful data transfers to China. The complaints, submitted across five European countries, raise concerns about the companies’ handling of Europeans’ personal data and the risks posed by Chinese government surveillance.
Noyb accuses the companies of violating GDPR rules by transferring personal data to China without adequate safeguards. Four companies—TikTok, AliExpress, SHEIN, and Xiaomi—explicitly state in their privacy policies that data is sent to China. Meanwhile, Temu and WeChat mention transfers to unspecified “third countries,” which noyb suspects includes China based on their corporate structures. The privacy group claims the companies failed to provide legally required information about these transfers in response to users’ access requests under Article 15 of the GDPR.
European data protection laws require that personal data transferred outside the EU meets stringent standards to ensure privacy protections equivalent to those within the bloc. However, noyb argues that such protections cannot be guaranteed in China, citing the country’s expansive surveillance laws and lack of an independent data protection authority.
“China’s authoritarian surveillance state does not provide the same level of data protection as the EU, making these transfers clearly unlawful,” said Kleanthi Sardeli, a data protection lawyer at noyb.
The complaints detail how Chinese authorities frequently request and receive unrestricted access to personal data from companies like Xiaomi, a practice documented in the company’s transparency reports. In contrast, EU-based authorities make only a fraction of such requests. Noyb emphasizes that European users have little recourse under Chinese data protection laws to challenge or prevent such access.
To address these alleged violations, noyb has requested that data protection authorities suspend all data transfers to China under Article 58(2)(j) of the GDPR. The organization also calls for administrative fines of up to 4% of global annual revenue for non-compliance, which could amount to €147 million for AliExpress and €1.35 billion for Temu.
The rise of Chinese-owned apps and platforms in Europe presents a new front for EU data protection laws, following similar concerns about U.S. government access to data. Noyb’s complaints underscore the growing urgency to enforce GDPR standards amid the global expansion of technology companies from countries with weaker privacy safeguards.
“The competent authorities must act quickly to protect the fundamental rights of the people concerned,” Sardeli stated.
The six complaints were filed in Belgium, Italy, Greece, the Netherlands, and Austria. If upheld, they could lead to significant fines and force these companies to overhaul their data practices to comply with European privacy laws.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
