TikTok is among six Chinese tech companies hit by privacy complaints for sending Europeans’ personal data to China, violating EU data transfer law.
EU law is clear: Austrian privacy advocacy group None of Your Business (stylized as noyb) who filed the complaint, explains in a blog post that data transfers outside the EU are only permitted if the destination country does not undermine data protection.
“Given that China is an authoritarian surveillance state, it is very clear that China does not offer the same level of data protection as the EU. The transfer of Europeans’ personal data is clearly illegal and must be stopped immediately,” said Kleanthi Sardeli. . data protection lawyer at noyb.
In addition to the popular video-sharing app, noyb also filed GDPR complaints in five countries against AliExpress, SHEIN, Temu, WeChat and Xiaomi for illegal data transfers to China.
The danger of data transfers
Under GDPR rules, data transfers outside Europe should only be carried out as exceptions, subject to proof that the data is protected by strict requirements.
Experts explain that companies should carry out an impact assessment to verify that European data is safe from national laws in the destination country that may require authorities to access the data. This is clearly not the case in China, whose data protection laws are famous for not limiting access by authorities in any way.
In its transparency reports, for example, the mobile manufacturer Xiaomi confirms how Chinese authorities can obtain practically unlimited access to users’ sensitive information.
“Chinese companies have no choice but to comply with government data access requests,” said Kleanthi Sardeli, data protection lawyer at noyb.. “This means that European users’ data is at risk as long as it is sent abroad.”
🚨 Today we have filed six complaints against Chinese tech companies @shoptemu, @SHEIN_Official, @Xiaomi, @AliExpress_EN, @Weixin_WeChat and @TikTokSupport for data transfers to China. Find all the details here: https://t.co/ v0UgpGSATpJanuary 16, 2025
Experts also noted that it is almost impossible for Europeans (and any other foreign users) to exercise their data privacy rights under Chinese laws. noyb reported, in fact, how the aforementioned companies ignored requests from some European users to access their data under Article 15 of the GDPR.
However, four of these companies (AliExpress, SHEIN, TikTok and Xiaomi) explicitly state in their privacy policies that they send personal data of Europeans to China. Temu and WeChat only vaguely mention transfers to “third countries.”
Therefore, on January 16, 2025, noyb filed six privacy complaints for violating Chapter V of the GDPR. Experts call on data protection authorities in five EU countries to immediately order the suspension of data transfers to China. These are Greece (TikTok, Xiamoi), Italy (SHEIN), Belgium (AliExpress), the Netherlands (WeChat) and Austria (Temu).
This is another reminder of the danger of data collection. We then advise anyone to be careful when sharing their personal data with Chinese apps as well as any other online services.
As a general rule, you should actively minimize data sharing by reviewing the permissions of all your apps and using security software like the best VPN apps every time you access the web.
