TikTok, AliExpress, Temu and more hit with GDPR complaints over unlawful data transfers to China
Austria-based data protection and privacy advocating NGO noyb (none of your business) has filed a series of complaints against AliExpress, SHEIN, Temu, TikTok, WeChat, and Xiaomi for violating European general data protection regulation (GDPR).
The six firms stand accused of unlawfully transferring user data to China. In its complaints, noyb says that “given that China is an authoritarian surveillance state, companies can’t realistically shield EU users’ data from access by the Chinese government”.
See also:
- Microsoft confirms strange ‘some settings are managed by your administrator’ BitLocker error
- Apple decides to disable its broken AI-powered news summaries
- Microsoft rolls out administrator protection feature to some Windows 11 users to boost security
European Union law surrounding data transfers states that data may only be moved out of the EU providing that “the destination country doesn’t undermine the protection of data”. This is something nyob says simply cannot be guaranteed in the case of China.
Complaints have been filed against TikTok and Xiaomi in Greece, SHEIN in Italy, AliExpress in Belgium, WeChat in the Netherlands, and Temu in Austria. nyob points out that Chinese data protection laws do not stop authorities from accessing any data they want.
Kleanthi Sardeli, data protection lawyer at the organization says:
Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful -- and must be terminated immediately.
The complaints have something of a feeling of going through the motions, already knowing full well that laws have been broken. nyob says:
While four of [the companies] openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”. As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China.
While the outcome and timescale of what happens next is not known, nyob concludes by saying:
noyb has now filed 6 GDPR complaints in 5 European countries and requests the data protection authorities to immediately order the suspension of data transfers to China under Article 58(2)(j) as the country does not provide an essentially equivalent level of data protection under Article 44 and 46 GDPR. noyb also requests the companies to bring their processing into compliance with the GDPR. Last but not least, noyb asks the DPAs to impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4 percent of the global revenue, which can e.g. amount to €147 million (annual revenue of €3.68 billion) for AliExpress or €1.35 billion (annual revenue of €33.84 billion) for Temu.
More details are available here.