by Austrian privacy advocates noyb (None of Your Business) filed six data protection complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi in five European countries on Thursday, claiming the Chinese tech giants were unlawfully sending Europeans’ data to China.
Noyb has called on data protection regulators to order companies to suspend data transfers to China and impose fines on them.
Under EU law, personal data may only be transferred to a third country if that country is deemed to offer an adequate level of protection or if special agreements exist. Countries such as Canada, Japan, Israel and South Korea have been granted “adequacy decisions,” meaning they meet EU standards. In other cases, companies may commit to protecting data in accordance with EU guidelines.
However, Noyb argues that China’s authoritarian government and lack of independent oversight pose a significant risk to the fundamental rights of European users. According to the group, China’s legal framework does not prevent authorities from accessing citizens’ data, making the transfer of European data to China a major privacy risk.
Noyb claims that AliExpress, SHEIN, TikTok and Xiaomi have admitted in their privacy policies that they transferred data to China. Meanwhile, Temu and WeChat reportedly mention remittances to third countries, which noyb says is China.
The Data Protection Commissioner had previously requested access to information under the GDPR from these companies, but claims that none of these companies have complied with this request.
All six companies were contacted by Euronews for comment, but only Xiaomi and TikTok responded. A spokesperson for Xiaomi explained: “Respecting user privacy has always been one of Xiaomi’s core values (…) Our privacy policy has been developed to comply with applicable regulations such as the GDPR.” The company’s spokesperson told Euronews that Technology company is ready to cooperate fully with the authorities in resolving the matter.
TikTok said it has never shared European user data with the Chinese government and was not asked to do so, stressing that it would not comply with such a request. The company assured Euronews of its high standards of data security, adding that these standards go beyond the requirements of the GDPR.
The complaints are now in the hands of the data protection authorities in Austria, Belgium, Greece, Italy and the Netherlands. If the GDPR is violated, companies face fines of up to 4% of their global turnover.
