Published on: January 18, 2025
The European non-profit, noyb, filed six complaints against a range of Chinese companies, accusing them of misusing customer data. These companies, TikTok, Temu, SHEIN, Aliexpress, WeChat, and Xiaomi are being accused of transfering user data back to China or other countries, which is strictly prohibited by GDPR law outside of specific circumstances.
Four of these companies admitted to sending customer’s personal data back to China, while the other two said they sent data to undisclosed third-party countries.
“As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China,” noyb explains in a recent post. “But EU law is clear: data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data.”
“Given that China is an authoritarian surveillance state, companies can’t realistically shield EU users’ data from access by the Chinese government,” noyb explains.
One example pertains to Xiaomi, a Chinese smartphone company. According to noyb, Chinese officials have requested a large amount of Xaomi’s customer data in a short amount of time. In their example, they underline that Xiaomi has to comply and turn over any data that the government asks for.
“On top of that, it is almost impossible for foreign users to exercise their rights under Chinese data protection law,” noyb said.
Following Article 15 of GDPR law, noyb filed access requests for the six companies, asking which countries their data was being sent to. Every request was denied.
“We still know that, according to their privacy policy, AliExpress, SHEIN, TikTok, and Xiaomi transfer data to China. Temu and WeChat mention transfers to third countries. According to Temu and WeChat’s corporate structure, this most likely includes China.”
The complaint also requests the DPAs to impose an administration fine. Should that happen, each business could be fined up to 4 percent of its global revenue.