Data privacy group files complaints against Chinese tech firms over EU data flows

In a significant data privacy action, the European privacy advocacy group noyb filed formal complaints today against six major Chinese technology companies over alleged unlawful transfers of European users' personal data to China. The complaints target TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi.

According to the complaints filed with data protection authorities in Austria, Belgium, Greece, Italy and the Netherlands, these companies are transferring European users' personal data to China without adequate legal safeguards required under EU law.

The complaints allege that while these companies claim to process European data through EU-based subsidiaries, their actual data handling practices involve transfers to China where data protection standards do not meet EU requirements. According to noyb's filing documents, Chinese laws grant authorities "unrestricted powers regarding access to data processed by Chinese companies."

Kleanthi Sardeli, data protection lawyer at noyb, stated in the filing documents: "Given that China is an authoritarian surveillance state, it is crystal clear that China doesn't offer the same level of data protection as the EU. Transferring Europeans' personal data is clearly unlawful – and must be terminated immediately."

The complaints specifically challenge the companies' reliance on Standard Contractual Clauses (SCCs) as a legal basis for these international data transfers. According to the filing documents, SCCs alone cannot provide adequate protection when transferring data to China due to Chinese laws requiring companies to share data with government authorities.

The scale of government access to user data in China is demonstrated through transparency reports from Xiaomi, which show thousands of requests from Chinese authorities with an almost 100% compliance rate. According to these reports, Chinese authorities made substantially more data requests compared to European authorities during the same timeframes.

The complaints also raise concerns about the companies' corporate structures. While firms like TikTok claim to process European data through EU-based entities, noyb argues these are merely "letterbox" establishments without real decision-making power. According to the filing documents, TikTok's claimed Irish headquarters shares an address with 628 other companies, including law firms offering "EU Representative services."

The legal action targets specific data handling practices:

• TikTok's parent company ByteDance maintains significant control from China, with employees reportedly still working with Beijing-based managers despite claimed separation
• AliExpress processes European customer data through multiple entities including Chinese-based companies
• SHEIN's corporate structure includes Chinese subsidiaries with direct access to European user data
• Temu's privacy policy indicates data transfers to undisclosed "third countries"
• WeChat's privacy documentation acknowledges data sharing with group companies globally
• Xiaomi's transparency reports confirm regular data sharing with Chinese authorities

Under EU privacy law, personal data can only be transferred outside the European Economic Area if the receiving country ensures an "adequate level of protection." China has not received such an adequacy decision from the European Commission.

The complaints request immediate suspension of data flows to China and fines that could reach up to 4% of the companies' global annual revenue. For AliExpress parent company Alibaba, this could mean fines up to €147 million based on annual revenue of €3.68 billion. Temu's parent company PDD Holdings could face fines up to €1.35 billion on revenue of €33.84 billion.

The data protection authorities must now investigate these complaints and determine whether the data transfers comply with the EU's General Data Protection Regulation (GDPR). Previous European court decisions have emphasized that supervisory authorities have a duty to act when presented with evidence of privacy violations.

This action represents the latest challenge to international data transfers under European privacy law. Previous cases have targeted data flows to the United States, leading to the invalidation of multiple EU-US data transfer frameworks by the Court of Justice of the European Union.

The complaints filed today raise similar concerns about government surveillance powers, but in the context of China's legal framework which, according to the filing documents, provides even fewer protections for personal data than US laws.