Jan 17, 2025 11:05:00

TikTok, Temu and AliExpress accused of violating GDPR by sending EU data to China

On January 16, 2025,

None of Your Business (noyb) , an EU privacy advocacy group, announced that it had filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for violating the EU General Data Protection Regulation (GDPR) by sending European users' data to China.

TikTok, AliExpress, SHEIN & Co surrender Europeans' data to authoritarian China
https://noyb.eu/en/tiktok-aliexpress-shein-co-surrender-europeans-data-authoritarian-china

GDPR complaints filed against TikTok, Temu for sending user data to China
https://www.bleepingcomputer.com/news/security/gdpr-complaints-filed-against-tiktok-temu-for-sending-user-data-to-china/

Under the GDPR, companies cannot transfer European people's data outside the EU, but it does allow for exceptional cases, provided that the data is strictly protected against access by states and other authorities.

This means that Europeans' data will only be allowed to leave the EU if the destination country offers a high level of privacy protection, but Chinese companies cannot expect such protection as they must hand over any data if ordered to do so by the Chinese government.

'Given that China is an authoritarian surveillance state, it is clear that it does not offer the same level of data protection as the EU. In such cases, the transfer of Europeans' personal data is clearly illegal and must stop immediately,' said Craneti Sardelli, data protection lawyer at noyb.

by

Focal Foto

According to noyb, AliExpress, SHEIN, TikTok, and Xiaomi all state in their privacy policies that they transfer data to China, while Temu and WeChat state that their destinations are 'third countries,' which 'given the corporate structures of both companies, this likely includes China,' noyb said.

noyb requested information under GDPR from TikTok and six other companies about how they handle the data of European users, but none of the companies responded to the inquiry.

'Chinese companies have no choice but to comply with government requests for access to data, which means that European users' data is at risk when it is sent abroad. The relevant authorities need to act swiftly to protect the fundamental rights of those involved,' Sardelli said.

For these reasons, noyb has filed complaints with the data protection authorities (DPAs) of five countries - Greece, Italy, Belgium, the Netherlands and Austria - alleging that TikTok and six other companies are violating Article 44 of the GDPR, which sets out general principles for data transfers, and Article 46, which stipulates that transfers must be made in accordance with appropriate safeguards.

If the DPA finds a violation of the GDPR in response to a challenge, the companies could be ordered to pay fines of up to 4% of their annual worldwide revenues, which could amount to fines of up to 147 million euros for Xiaomi and up to 1.35 billion euros for Temu.