Major Tech Companies Accused of Violating EU Data Protection Laws by Transferring User Data to China

2025-01-17

In a bold move to protect user privacy, Austrian non-profit organization None of Your Business (noyb) has filed complaints against several prominent tech companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. The complaints allege that these companies are unlawfully transferring European users’ personal data to China, violating the European Union’s stringent data protection regulations under the General Data Protection Regulation (GDPR).

The advocacy group is demanding an immediate halt to these data transfers, arguing that the companies cannot guarantee the safety of user data from potential access by the Chinese government. The complaints have been lodged in multiple EU countries, including Austria, Belgium, Greece, Italy, and the Netherlands.

Kleanthi Sardeli, a data protection lawyer at noyb, emphasized the risks: “China is an authoritarian surveillance state, and it’s clear that it doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data to China is unlawful and must be stopped immediately.”

Noyb further highlighted that these companies are legally obligated to comply with Chinese authorities’ requests for data access, and China lacks an independent data protection authority to address concerns about government surveillance. The group also revealed that none of the companies responded to its GDPR access requests, which sought clarity on whether user data is being transferred to China or other non-EU countries.

According to noyb, AliExpress, SHEIN, TikTok, and Xiaomi explicitly state in their privacy policies that they transfer data to China. Meanwhile, Temu and WeChat mention transfers to “third countries,” which likely includes China given their corporate structures.

This development comes at a critical time for TikTok, which is facing a federal ban in the U.S. starting January 19, 2025. The ban follows growing concerns over the platform’s ties to China and its potential to compromise user data.

Noyb has been actively pursuing GDPR-related complaints against other tech giants, including Google, Microsoft, and Mozilla, for tracking users without consent. These actions underscore the organization’s commitment to holding companies accountable for data privacy violations.

What Undercode Say:

The recent complaints filed by noyb against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi highlight a growing tension between global tech companies and data protection regulations. The allegations that these companies are unlawfully transferring user data to China raise significant concerns about privacy, security, and compliance with international laws.

China’s reputation as a surveillance state complicates matters further. Unlike the EU, which has robust data protection laws like the GDPR, China lacks an independent authority to oversee data privacy. This means that once user data enters Chinese jurisdiction, it becomes vulnerable to government access, with little recourse for individuals or organizations to challenge such actions.

The lack of transparency from these companies is equally troubling. Noyb’s attempts to seek clarity on data transfers were met with silence, suggesting a disregard for GDPR obligations. This behavior not only undermines user trust but also sets a dangerous precedent for other companies operating in the EU.

The timing of these complaints is particularly significant. With TikTok facing a U.S. ban and increasing scrutiny over its data practices, the spotlight on Chinese tech companies is intensifying. This could lead to stricter regulations and enforcement actions globally, as governments and advocacy groups push for greater accountability.

The broader implications of these complaints extend beyond the companies involved. They serve as a reminder of the importance of data sovereignty and the need for companies to prioritize user privacy. As technology continues to evolve, so too must the frameworks that govern its use. The GDPR has set a high standard for data protection, and companies must adapt to meet these requirements or face the consequences.

In addition to the noyb complaints, recent actions by the U.S. Federal Trade Commission (FTC) against General Motors and GoDaddy further underscore the global push for stronger data privacy protections. The FTC’s ban on General Motors from sharing driver data without consent and its order for GoDaddy to overhaul its security practices demonstrate a growing commitment to holding companies accountable for data misuse.

The amendments to the Children’s Online Privacy Protection Rule (COPPA) also reflect this trend. By requiring verifiable parental consent for targeted advertising and imposing stricter data retention policies, the FTC is taking steps to protect vulnerable users and ensure that companies cannot exploit children’s data for profit.

In conclusion, the noyb complaints and the

The ongoing battle for data protection is far from over, but these developments represent a significant step forward in holding companies accountable and safeguarding user rights in an increasingly digital world.