The privacy advocacy group Noyb has filed six complaints against major Chinese tech companies—TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi—alleging they have unlawfully transferred European users’ data to China in violation of the European Union’s General Data Protection Regulation (GDPR). Noyb, founded by Austrian privacy activist Max Schrems, focuses on defending user privacy through legal action, particularly addressing issues like unauthorized data transfers, surveillance, and online tracking. The complaints were filed with data protection authorities (DPAs) in multiple European countries, including Greece, Italy, Belgium, the Netherlands, and Austria, on behalf of users in these regions.
The non-profit organization argues that China, an authoritarian state, does not offer the same level of data protection as the EU. It emphasizes that Chinese companies fail to meet the stringent requirements for data transfers outside the EU as outlined by GDPR, particularly Articles 44 and 46, which focus on ensuring safeguards for such transfers. Noyb points out that China aggressively collects and processes personal data without proper oversight, which puts European citizens’ privacy at risk. Additionally, it stresses that Chinese companies are compelled to comply with data access requests from the Chinese government without proper justification.
Noyb’s complaints specifically accuse these companies of violating GDPR provisions
Complaints specifically accuse these companies of violating GDPR provisions related to the transfer of personal data across borders. Xiaomi, for instance, has publicly admitted that Chinese authorities can request unlimited access to personal data, further highlighting the lack of protection. The group also claims that European users’ data access requests have been ignored, violating GDPR’s Article 15, which grants users the right to know what data is being collected and its intended use. The complaints call for immediate suspension of data transfers to China and for these companies to align their practices with GDPR standards.
If the data protection authorities find evidence of GDPR violations, the companies could face substantial fines, up to 4% of their global annual revenue. For Xiaomi and Temu, these fines could potentially reach billions of dollars, with Xiaomi facing up to $1.75 billion and Temu up to $1.35 billion. Noyb’s legal actions underline the ongoing concern over how Chinese tech companies handle personal data and the potential risks posed to European users’ privacy and security.