A privacy advocacy group, None of Your Business (noyb), has filed a landmark case against six Chinese technology giants over the illegal transfer of European users’ personal data to China without complying with the EU’s General Data Protection Regulation (GDPR). The complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi are led by the organization founded by Max Schrems. The legal actions were submitted to data protection authorities in five European countries: Greece, Italy, Belgium, the Netherlands, and Austria, representing users from these respective nations.
At the heart of the complaints lies China’s aggressive data collection practices and unrestricted data processing, which noyb argues fundamentally conflicts with European Union data protection laws.
Noyb Files Complaints Against Xiaomi, Huawei, Oppo, and TikTok for GDPR Breaches
Under GDPR, international data transfers outside the EU are permitted only as exceptions and require concrete evidence that the data remains protected from unauthorized access, whether by state authorities or other entities.
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU,” explained noyb’s data protection lawyer, Kleanthi Sardeli. The organization points out that these companies must comply with Chinese state authorities’ data access requests without requiring justification or imposing limitations.
The complaints specifically cite violations of GDPR Chapter V, focusing on Articles 44 and 46. These articles outline general transfer principles and necessary safeguards for international data transfers. Noyb highlights that the companies have failed to implement adequate impact assessments, a crucial requirement under GDPR.
EU Lawsuit Targets Chinese Tech for Data Privacy Violations
Particularly concerning is Xiaomi’s previous admission through public transparency reports that Chinese authorities can obtain “unlimited” access to personal user data. This admission adds weight to Noyb’s arguments about the risks of data transfers to China.
The complaints also address another significant issue: the companies’ alleged failure to respond to European users’ data access requests. Under GDPR Article 15, individuals have the right to know what personal data companies hold about them and how this data is being processed. The systematic ignoring of these requests constitutes another potential GDPR violation.
The complaints have been strategically filed across different European jurisdictions:
- TikTok and Xiaomi face complaints in Greece
- SHEIN’s complaint was filed in Italy
- AliExpress is being challenged in Belgium
- WeChat faces scrutiny in the Netherlands
- Temu’s complaint was submitted in Austria
Noyb asks data protection authorities to act immediately and suspend data transfers to China, forcing these companies to get in line with GDPR data processing requirements. Violations can attract very high fines, administrative fines up to 4% of each company’s global annual revenue. For Xiaomi, this may mean fines of up to $1.75 billion. For Temu, this could also be up to $1.35 billion.
This legal action is one of the most coordinated challenges against Chinese tech companies’ data practices in Europe to date.
The outcome will have far-reaching implications for how international companies operate within the European Union’s regulatory framework, especially those from countries with different data protection standards.
The comments from the companies have been solicited and their reactions might help understand better how they are going to address these grave allegations of GDPR non-compliance.
Comments are closed.