TikTok, AliExpress, SHEIN, Temu, WeChat, And Xiaomi Hit With GDPR Complaints Over Personal Data Transfers To China
from the new-front dept
As you may have noticed, the tech world is full of news about TikTok, its ban, its reprieve and possible sale, and whether it represents a security threat to the US and its citizens. Of course, the question of whether TikTok is spying on its users and sending data back to China is broader than that. It can also be asked of the other rising Chinese tech companies, and not just in the US, but globally. That includes the EU, which has famously strict laws aiming to protect citizens’ personal data. So it was probably inevitable that complaints under the EU’s General Data Protection Regulation (GDPR) should be filed against Chinese companies. And it was probably inevitable that the person and organization to do so would be Max Schrems and his noyb.eu team that have weaponized the GDPR with huge success. Here’s their latest move, which is a significant one:
Today, noyb has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. While four of them openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”. As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China. But EU law is clear: data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data. Given that China is an authoritarian surveillance state, companies can’t realistically shield EU users’ data from access by the Chinese government.
The post on the noyb.eu site explains what Chinese companies need to do in order to make legal transfers of personal data from the EU:
For countries like China, companies usually rely on “Standard Contractual Clauses” (SCCs). SCCs are a contract in which the Chinese recipient pledges to follow EU protections – even in China. For this to be allowed, companies must conduct an impact assessment to verify that Europeans’ data is secure in the destination country and that the SCCs are not conflicting with national laws that require access to data. Given that China is an authoritarian surveillance state, there is no adequacy decision and no company can provide such a guarantee. Chinese data protection laws do not limit the access by authorities in any way.
It was the lack of an “adequacy decision” at the time that caught out the European Commission itself when it transferred EU personal data to the US, discussed in a recent Techdirt post. Alongside what noyb.eu calls “High risk of data access by [Chinese] authorities”, there is also the fact that it is almost impossible for foreign users to exercise their rights under Chinese data protection law. That law may exist, but:
The country doesn’t have a dedicated and independent data protection authority or another tribunal to raise government surveillance issues and the scope and application of the laws are unclear.
The final ground for noyb.eu’s complaint flows from a rather quixotic attempt to get Chinese tech companies to explain what happens to the personal data of EU citizens:
The complainants therefore filed access requests under Article 15 GDPR with the above-mentioned companies to see if their data was sent to China or other countries outside the EU. Unfortunately, none of the companies provided the legally required information about data transfers.
That’s hardly a surprise, but it does provide another ground for asking data protection authorities in five EU countries — Austria, Belgium, Greece, Italy and the Netherlands — to order the immediate suspension of data transfer to China by the tech companies involved. And then there is the matter of the fines that can be imposed under the GDPR:
Last but not least, noyb asks the DPAs to impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4% of the global revenue, which can e.g. amount to €147 million (annual revenue of €3.68 billion) for AliExpress or €1.35 billion (annual revenue of €33.84 billion) for Temu.
As noyb.eu puts it, “the rise of Chinese apps opens a new front for EU data protection law,” one that is likely to assume ever-greater importance as Chinese tech companies achieve growing success in global markets. Alongside the political battles in the US, this latest GDPR complaint by Schrems and his team is likely to be a key development in the privacy and tech worlds.
Follow me @glynmoody on Bluesky and on Mastodon.
Filed Under: adequacy, austria, belgium, china, data protection, eu, fines, gdpr, greece, italy, max schrems, netherlands, noyb, tiktok ban, us
Companies: AliExpress, shein, temu, tiktok, wechat, xiaomi
Comments on “TikTok, AliExpress, SHEIN, Temu, WeChat, And Xiaomi Hit With GDPR Complaints Over Personal Data Transfers To China”
This, I feel, is a good move.
It is HOPEFULLY a good move without some kind of unforseen consequences, this time.
This may be a preview of what US companies could face if Trump really starts messing with Europeans data.
I’m not sure Microsoft would be fine to pay $10B (4% of $245B).
But EU law is clear: data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data.
i would hardly count every country in the EU as abiding by this, but they are inside the EU, so no big deal i guess. But outside the EU, there are what, one or two countries that might actually fit the description? So EU citizen data should probably be going nowhere.
Is it really weaponizing if it’s doing what the law intended?
I suppose it depends on your definition of weaponisation.
Most laws aimed at corporate behaviour/accountability are a kind of performance art. The legislators pretend they’re tough. The corporates pretend they’ll follow the law. It’s all designed to fool the rest of us into believing it will work.
Corporates then set about undermining such regulators as exist (“regulatory capture”) and legislators routinely deny the regulator the necessary funds to operate properly. And that’s all well before we get to questions of corrupt behaviour like regulators doing deals with miscreant corporates because they’re eyeing better-paying jobs, or chaps phoning chaps behind the scenes to arrange mere slaps on the wrist (“cost of doing business”)..
It’s really only when people like noyb come along that we make much progress. Their “weaponisation” (as I see it) is drawing public attention to the whole farcical “performance” in an attempt to shame (or, in some cases, force) the regulators into actually applying the law. I really can’t think of a better term than “weaponisation” for their activities. Do you have a suggestion?
If regulators always acted against corporate misbehaviour with the same application and diligence as applies to, say, speeding fines and demerit points, the world would be a much better place.
Weaponisation is generally used in a derogatory sense in modern usage.
even the definition seems to offer “bad” examples.
Sorry Glynn Moody and CashnCarry I could not find a good or at least less evil synonym.
This comment has been flagged by the community. Click here to show it.
AshtrayKart
This is a really concerning issue—data privacy is such a big topic now, especially with all these companies potentially violating GDPR guidelines by transferring personal data to China without proper consent. It makes you wonder just how much of our personal information is out there and who has access to it.
It’s a bit like having an ashtray in your home—you expect it to be discreet and functional, not something that just piles up with trash without you noticing. Our personal data should be treated with the same level of care and respect. When companies like TikTok, AliExpress, and the others mishandle our info, it feels like they’ve left an ashtray of personal data sitting in the open without our permission. I really hope there’s more regulation and accountability in the future to protect users.
Data protection law working
And this is what happens when a federation of states has a legitimate (if arguably flawed) data protection regime.
Perhaps the next Congress would like to consider similar legislation… and then have a real stick to hit TikTok with (and the like), not just a phantom of “a national security threat but we can’t tell you what or why because it’s all SeKReT, like”.
Tell me again...
Why TikTok is worth banning, but not all of these, Mr. Plutocrat?