TikTok is among six Chinese tech companies hit by privacy complaints for sending personal data of Europeans to China, in violation of EU data transfer law.
EU law is clear: Austrian privacy group None of Your Business (stylized as noyb) who filed the complaint, explains in a blog post – that data transfers outside the EU are only permitted if the destination country does not infringe data protection.
“Given that China is an authoritarian surveillance state, it is clear that it does not offer the same level of data protection as the EU. The transfer of Europeans’ personal data is clearly illegal – and must be stopped immediately,” said Kleanthi Sardeli, data protection lawyer at noyb.
Alongside the popular video sharing app, noyb has also filed GDPR complaints in five countries against AliExpress, SHEIN, Temu, WeChat and Xiaomi for illegal data transfers to China.
The danger of data transfers
Under GDPR rules, data transfers outside of Europe should only take place in exceptional circumstances, subject to proving that the data is protected by strict requirements.
Companies are required to conduct an impact assessment, experts say, to check that European data is secure against the destination country’s national laws which may require authorities to have access to the data. This is clearly not the case for China, whose data protection laws are known for not limiting authorities’ access in any way.
In its transparency reports, for example, mobile phone maker Xiaomi confirms that Chinese authorities can obtain almost unlimited access to sensitive user information.
“Chinese companies have no choice but to comply with government requests for data access,” said Kleanthi Sardeli, a data protection lawyer at noyb.. “This means that European users’ data is at risk as long as it is sent abroad.”
🚨 Today we filed six complaints against Chinese technology companies @shoptemu, @SHEIN_Official, @Xiaomi, @AliExpress_EN, @Weixin_WeChat and @TikTokSupport regarding data transfers to China. Find all the details here: https://t.co/ v0UgpGSATpJanuary 16, 2025
Experts also pointed out that it is almost impossible for Europeans (and any other foreign users) to exercise their data privacy rights under Chinese laws. noyb has indeed reported how requests from some European users to access their data under Article 15 of the GDPR were ignored by the aforementioned companies.
Four of these companies (AliExpress, SHEIN, TikTok and Xiaomi), however, explicitly state that they send the personal data of Europeans to China in their privacy policies. Temu and WeChat only mention vague transfers to “third countries”.
Therefore, noyb filed six complaints for violations of Chapter V of the GDPR on January 16, 2025. Experts call on the data protection authorities of five EU countries to immediately order the suspension of data transfers to China. These are Greece (TikTok, Xiamoi), Italy (SHEIN), Belgium (AliExpress), the Netherlands (WeChat) and Austria (Temu).
It’s yet another reminder of the danger of data collection. We then advise everyone to be careful when sharing their personal data with Chinese applications, as well as any other online services.
As a general rule, you should actively minimize your data sharing by reviewing the permissions of all your apps and using security software like the best VPN apps every time you access the web.
