GDPR complaints filed against TikTok, Temu for sending user data to China
Non-profit privacy advocacy group “None of Your Business” (noyb) has filed six complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, for unlawfully transferring European user’s data to China and infringing European Union’s general data protection regulation (GDPR).
Founded by Austrian privacy activist Max Schrems, NOYB works through legal action against companies that violate users’ privacy rights, particularly in areas like data transfers, online tracking, and surveillance.
noyb filed the complaints at data protection authorities (DPAs) in Greece, Italy, Belgium, the Netherlands, and Austria on behalf of users in the same countries.
In the documents, the non-profit highlights that China collects citizen data aggressively and processes it without restrictions, which is against European Union’s data protection law.
According to the GDPR, data transfers outside the European space should only be allowed as exceptions, and proof that the data is strictly protected from unauthorized state (or other) access needs to be produced.
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU,” stated noyb’s data protection lawyer, Kleanthi Sardeli.
According to noyb, the Chinese companies are in violation of Chapter V of the GDPR, specifically Articles 44 (general transfer principles), 46 (lack of safeguards), and 46 (1) (failure to conduct adequate impact assessments).
The lawyer also stated that the companies have to comply with data access requests from the China’s state authorities without a justification or limiting the supply under certain conditions.
noyb underlines that Xiaomi has previously admitted through public transparency reports that authorities in China can request and obtain “unlimited” to personal user data.
In addition to this risk, noyb also mentions that European users have their data access requests ignored by the said companies, which constitutes a violation of GDPR Article 15.
The article gives people the right to ask the controller, the six Chinese firms in this case, to inform them what personal data they hold and the purposes of processing it.
Given the above, noyb has now filed the following GDPR complaints across five European countries:
The organization requests the data protection authorities to demand the immediate suspension of data transfers to China and to bring their data processing practices in alignment with the GDPR requirements.
For GDPR violations the data protection authorities may find during their examination of the available evidence, the said companies could be called to pay administrative fines reaching up to 4% of their global annual revenue.
For Xiaomi and Temu, the fines could reach a maximum of $1.75 and $1.35 billion respectively.
BleepingComputer has contacted all six Chinese firms for a comment on noyb’s action, and we will update this post if and when we receive a response.
Source link