Austrian advocacy group noyb has filed legal complaints against TikTok, AliExpress, and other tech companies for allegedly violating EU data protection laws by transferring user data to China.
Key Points at a Glance
- TikTok, AliExpress, and others face GDPR complaints for illicit data transfers to China.
- Concerns raised over Chinese government access to European users’ personal data.
- Companies failed to respond to EU data access requests under GDPR.
- The case highlights tensions over international data governance and corporate transparency.
Austrian non-profit organization None of Your Business (noyb) has initiated legal action against major tech platforms, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, accusing them of violating the European Union’s General Data Protection Regulation (GDPR). Filed in Austria, Belgium, Greece, Italy, and the Netherlands, the complaints claim these companies unlawfully transfer European user data to China, potentially exposing it to surveillance by Chinese authorities.
Kleanthi Sardeli, a data protection lawyer at noyb, emphasized the gravity of the situation: “Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the E.U. Transferring Europeans’ personal data is clearly unlawful and must be terminated immediately.” The group argues that Chinese companies are legally obligated to comply with government data access requests, further eroding user privacy protections.
According to noyb, the accused companies failed to respond to GDPR-compliant access requests, which sought clarity on the nature of their data transfers. TikTok, AliExpress, SHEIN, and Xiaomi explicitly mention transfers to China in their privacy policies. Temu and WeChat, while less transparent, suggest data may be sent to “third countries,” likely including China based on corporate structures.
The allegations come amidst rising global scrutiny of data transfers to China. ByteDance-owned TikTok is preparing to cease operations in the U.S. following a federal ban set to take effect on January 19, 2025. The ban stems from national security concerns over potential Chinese government access to user data. Similarly, noyb has previously targeted other major tech companies like Google, Microsoft, and Mozilla for GDPR violations, reflecting its broader mission to uphold stringent data privacy standards in Europe.
The noyb complaints are part of an escalating international debate on data sovereignty and governance. Critics argue that global tech companies must ensure compliance with local regulations while safeguarding user data against foreign government overreach. The case underscores the growing tension between the EU’s robust privacy laws and China’s expansive surveillance apparatus.
Adding to the regulatory momentum, the U.S. Federal Trade Commission (FTC) has recently taken decisive actions against data mismanagement. The FTC banned General Motors from sharing drivers’ geolocation data without consent and ordered GoDaddy to implement stronger security measures following multiple data breaches. It also amended the Children’s Online Privacy Protection Rule (COPPA), requiring verifiable parental consent before processing children’s data for advertising or sharing it with third parties. These developments demonstrate a global push toward stricter data privacy and corporate accountability.
The noyb complaints represent a pivotal moment in the fight for data privacy. As Europe seeks to uphold its stringent GDPR standards, the outcomes of these cases could set precedents for international data transfer regulations. The legal proceedings will likely influence how tech companies navigate the complexities of operating across jurisdictions with varying privacy frameworks.
