TikTok is among six Chinese tech companies hit by privacy complaints for sending Europeans’ personal data to China, breaching EU data transfer law.
The EU law is clear – the Austrian privacy advocacy group None of Your Business (stylized as noyb) that filed the complaint, explains in a blog post – that data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data.
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful – and must be terminated immediately,” said Kleanthi Sardeli, data protection lawyer at noyb.
Alongside the popular video-sharing app, noyb also filed GDPR complaints in five countries against AliExpress, SHEIN, Temu, WeChat, and Xiaomi for unlawful data transfers to China.
The danger of data transfers
As per GDPR rules, data transfers outside Europe should only occur as exceptions, subject to proof the data is protected by strict requirements.
Companies are required to conduct an impact assessment, experts explain, to verify that European data is secure against the national laws of the destination country that may require authorities access to data. This is clearly not the case for China, whose data protection laws are notorious for not limiting authorities’ access in any way.
In its transparency reports, for example, mobile manufacturer Xiaomi confirms how Chinese authorities can obtain virtually unlimited access to users’ sensitive information.
“Chinese companies have no choice but to comply with government requests for access to data,” said Kleanthi Sardeli, data protection lawyer at noyb. “This means that European users’ data is at risk as long as it’s sent abroad.”
🚨 Today, we’ve filed six complaints against the Chinese tech companies @shoptemu, @SHEIN_Official, @Xiaomi, @AliExpress_EN , @Weixin_WeChat and @TikTokSupport over data transfers to China Find all the details here:https://t.co/v0UgpGSATpJanuary 16, 2025
Experts also pointed out that it’s almost impossible for Europeans (and any other foreign users) to exercise their data privacy rights under Chinese laws. noyb reported, in fact, how some European users’ requests to access their data under Article 15 of GDPR were ignored by the aforementioned companies.
Four of these companies (AliExpress, SHEIN, TikTok, and Xiaomi), however, explicitly state that they send Europeans’ personal data to China in their privacy policies. Temu and WeChat only mention vague transfers to “third countries.”
This is why noyb has filed six privacy complaints for violating Chapter V of the GDPR on January 16, 2025. Experts are calling for the data protection authorities across five EU nations to immediately order the suspension of data transfers to China. These are Greece (TikTok, Xiamoi), Italy (SHEIN), Belgium (AliExpress), the Netherlands (WeChat), and Austria (Temu).
This is yet another reminder of the danger of data collection. We then advise anyone to be cautious when sharing their personal data with Chinese apps, as well as any other online services.
As a rule of thumb, you should actively minimize your data sharing by reviewing all your apps’ permission and using security software like the best VPN apps every time you access the web.