Noyb targets TikTok, SHEIN, and others for alleged GDPR violations

European Privacy Group accuses popular apps of illegitimate data transfers to China

noyb targets Chinese companies for illegitimate data transfer

The European Privacy Group has accused popular apps of illegal data transfers to China. None of Your Business (noyb), the Austrian privacy activist group, has filed a series of official complaints against six major organizations, alleging serious violations of the European Union's General Data Protection Regulation.[1]

The companies in question – TikTok, AliExpress, Temu, SHEIN, Xiaomi, and WeChat – are accused of having illegally transferred personal data of EU users to China. Complaints about such practices have been filed with regulators in Austria, Belgium, Greece, Italy, and the Netherlands, urging immediate actions to stop such data practices and to impose penalties where deemed appropriate.

Noyb's action brings forward continuing questions about the safety of data transferred to countries outside the EU. The practices attributed to the companies give rise to serious doubts about their adherence to the obligations of the GDPR, especially those touching on users' rights and the guarantee of transparency.

Allegations of GDPR breaches

The complaints focus on violations of Chapter V of the GDPR, which regulates cross-border data transfers. Noyb has identified specific breaches, including:

  • Article 44: This article sets general principles for international data transfers, ensuring that user privacy is maintained to EU standards regardless of where the data is processed.
  • Article 46: It requires organizations to implement robust safeguards, such as legally binding agreements, to protect personal data when transferred outside the EU.
  • Article 46(1): Companies are obligated to conduct thorough data transfer impact assessments to evaluate and mitigate potential risks to user privacy, which the accused firms allegedly failed to do.

According to noyb, the lack of comparable data protection standards in China amplifies the risks. Chinese law permits government authorities to access private company data, which, combined with the absence of independent oversight, leaves EU user data vulnerable. Xiaomi’s transparency reports, for instance, reveal that Chinese authorities have virtually unrestricted access to user information.

These violations not only undermine the GDPR’s foundational principles but also jeopardize the privacy and security of millions of EU citizens who use these platforms daily.

Companies are ignoring privacy requests

Besides illegal data transfers, noyb also accuses them of violating GDPR Article 15, a provision granting EU users rights to access comprehensive information regarding their personal data. The group observed that none of the companies approached them with satisfactory responses to its requests pertaining to data transfer policy and practice.

Noyb's investigations revealed varying degrees of transparency. Companies like TikTok, AliExpress, SHEIN, and Xiaomi openly acknowledge transferring data to China in their privacy policies, while Temu and WeChat obscure these details by vaguely referring to transfers to “third countries.” This lack of clarity and responsiveness raises concerns about the companies' overall commitment to privacy regulations.

The financial stakes are high. If found guilty of GDPR violations, these companies could face fines of up to 4% of their global annual revenue. For example, Xiaomi and Temu, two major players in the tech and e-commerce industries, risk fines of approximately $1.75 billion and $1.35 billion, respectively. Beyond financial penalties, regulators are urged to enforce immediate changes to ensure compliance with GDPR and protect user data.

Data might end up in the wrong hands

This wave of complaints represents a significant expansion of noyb’s focus, marking its first major action against Chinese companies after targeting U.S.-based tech giants like Google[2] and Meta in the past. The allegations have broader implications for global data privacy enforcement, particularly concerning jurisdictions with minimal data protection safeguards.

Tiktok, already under the microscope for its data practices, now faces a new set of challenges as regulatory bodies around the world investigate its role in data privacy and election integrity. The platform is also fighting a potential nationwide ban in the U.S.,[3] while European regulators continue to investigate it over compliance with privacy laws.

The Chinese government has consistently denied directing companies to share data unlawfully, insisting that organizations operate independently. However, critics argue that China’s laws on corporate data-sharing effectively grant authorities broad access to private user information. While Xiaomi has stated its willingness to cooperate with regulatory authorities if approached, other companies implicated in these complaints have remained silent.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare