Today, noyb has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. While four of them openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”. As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China. But EU law is clear: data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data. Given that China is an authoritarian surveillance state, companies can’t realistically shield EU users’ data from access by the Chinese government. After issues around US government access, the rise of Chinese apps opens a new front for EU data protection law.
- Complaint against TikTok in Greece
- Complaint against Xiaomi in Greece
- Complaint against SHEIN in Italy
- Complaint against AliExpress in Belgium
- Complaint against WeChat in the Netherlands
- Complaint against Temu in Austria
Background: data transfers out of EU only as an exception. In principle, companies are not allowed to transfer Europeans’ data outside of the EU. If, for whatever reason, they still need to do so, companies can rely on a number of exceptions (“derogations”). However, if companies just outsource data out of convenience, they must meet strict requirements to ensure the security of personal data. For countries like China, companies usually rely on “Standard Contractual Clauses” (SCCs). SCCs are a contract in which the Chinese recipient pledges to follow EU protections – even in China. For this to be allowed, companies must conduct an impact assessment to verify that Europeans’ data is secure in the destination country and that the SCCs are not conflicting with national laws that require access to data. Given that China is an authoritarian surveillance state, there is no adequacy decision and no company can provide such a guarantee. Chinese data protection laws do not limit the access by authorities in any way.
Kleanthi Sardeli, data protection lawyer at noyb: “Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful – and must be terminated immediately.”
High risk of data access by authorities. Xiaomi’s transparency reports confirm this risk of Chinese authorities requesting and obtaining (unlimited) access to personal data in practice. According to these documents, authorities request access to personal data on a very large scale, while in the same time span, EU/EEA authorities only had a handful of requests. Also, Xiaomi almost always complies (or has to comply) with these Chinese authorities’ requests. On top of that, it is almost impossible for foreign users to exercise their rights under Chinese data protection law. The country doesn’t have a dedicated and independent data protection authority or another tribunal to raise government surveillance issues and the scope and application of the laws are unclear.
Users’ access request not answered. This makes it all the more important to find out what Chinese tech companies do with Europeans’ personal data. The complainants therefore filed access requests under Article 15 GDPR with the above-mentioned companies to see if their data was sent to China or other countries outside the EU. Unfortunately, none of the companies provided the legally required information about data transfers. We still know that, according to their privacy policy, AliExpress, SHEIN, TikTok and Xiaomi transfer data to China. Temu and WeChat mention transfers to third countries. According to Temu and WeChat’s corporate structure, this most likely includes China.
Kleanthi Sardeli, data protection lawyer at noyb: "Chinese companies have no choice but to comply with government requests for access to data. This means that European users' data is at risk as long as it's sent abroad. The competent authorities must act quickly to protect the fundamental rights of the people concerned.”
Complaints filed in five countries. noyb has now filed 6 GDPR complaints in 5 European countries and requests the data protection authorities to immediately order the suspension of data transfers to China under Article 58(2)(j) as the country does not provide an essentially equivalent level of data protection under Article 44 and 46 GDPR. noyb also requests the companies to bring their processing into compliance with the GDPR. Last but not least, noyb asks the DPAs to impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4% of the global revenue, which can e.g. amount to €147 million (annual revenue of €3.68 billion) for AliExpress or €1.35 billion (annual revenue of €33.84 billion) for Temu.
