The Austria-based advocacy group None of Your Business (NOYB) has filed six GDPR complaints against major Chinese companies, including TikTok, AliExpress, SHEIN, Xiaomi, WeChat, and Temu, for allegedly transferring Europeans’ personal data to China unlawfully. This marks NOYB’s first legal challenge targeting Chinese firms, signaling an expanded focus beyond U.S. tech giants.
The Complaints in Detail
NOYB has accused these companies of failing to comply with the EU’s General Data Protection Regulation (GDPR) by transferring user data to China without adequate safeguards. The complaints were filed in six EU member states:
- TikTok: Greece
- Xiaomi: Greece
- SHEIN: Italy
- AliExpress: Belgium
- WeChat: Netherlands
- Temu: Austria
Key Allegations
- Open Admission of Data Transfers
Companies such as TikTok, SHEIN, and Xiaomi openly acknowledge sending EU user data to China, while others like Temu and WeChat transfer data to unspecified “third countries,” likely China. - Non-Compliance with GDPR Standards
GDPR permits data transfers outside the EU only if the destination country meets its stringent data protection standards. NOYB argues that China’s authoritarian surveillance regime inherently fails to meet these criteria. - Failure to Respond to Access Requests
The organization claims that the companies did not adequately respond to user requests regarding data processing and transfers.
Potential Consequences
Under GDPR, authorities can:
- Suspend Data Transfers: Require companies to halt transfers under Article 58(2)(j) until they comply with GDPR.
- Impose Fines: Levy fines of up to 4% of global revenue, potentially resulting in billions of euros in penalties.
- AliExpress: Up to €147 million (€3.68 billion)
- Temu: Up to €1.35 billion (€33.84 billion)
NOYB’s Perspective
Kleanthi Sardeli, a data protection lawyer at NOYB, emphasized the risks of transferring data to an “authoritarian surveillance state” like China, where user information cannot be safeguarded from government access.
“Transferring Europeans’ personal data is clearly unlawful and must be terminated immediately,” Sardeli stated.
The organization has called on European data protection authorities (DPAs) to act swiftly, ensuring compliance and penalizing violations.
Company Responses
- Xiaomi: A spokesperson acknowledged the complaint, asserting that the company complies with local laws and will cooperate with authorities as needed.
- TikTok and Others: No official comments have been made as of now.
The Bigger Picture
This legal action opens a new chapter in the EU’s enforcement of data protection laws, addressing concerns about user data being sent to countries with differing privacy standards. As GDPR enforcement intensifies, companies operating in Europe face mounting pressure to ensure their practices align with EU regulations.
Final Thoughts
The complaints against TikTok, AliExpress, and other Chinese companies highlight growing concerns about cross-border data transfers and their implications for privacy. The outcomes of these cases could set a critical precedent for global data protection practices, reshaping how companies handle user information in the EU.