Europe inches closer to TikTok restrictions amid data privacy concerns

According to documents filed with data protection authorities on January 16, 2025, the European privacy advocacy group noyb launched formal complaints against six major Chinese technology companies, marking a potential shift in TikTok's operational future in Europe. The complaints, submitted to authorities in Austria, Belgium, Greece, Italy, and the Netherlands, specifically target the data transfer practices of companies including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi.

At the heart of these complaints lies a critical concern about data sovereignty. According to the filing documents, Chinese laws grant authorities "unrestricted powers regarding access to data processed by Chinese companies." This situation has raised significant concerns about the protection of European users' personal information.

The timing of these complaints gains particular significance as they come just one day before TikTok's complete shutdown in the United States. The U.S. Supreme Court's decision on January 19, 2025, upheld legislation requiring ByteDance, TikTok's parent company, to either divest its U.S. operations or cease activities entirely.

Kleanthi Sardeli, a data protection lawyer at noyb, emphasized in the filing documents the fundamental incompatibility between Chinese and European data protection standards: "Given that China is an authoritarian surveillance state, it is crystal clear that China doesn't offer the same level of data protection as the EU. Transferring Europeans' personal data is clearly unlawful – and must be terminated immediately."

The complaints specifically challenge the legal basis these companies use for international data transfers. Standard Contractual Clauses (SCCs), currently employed by these firms, face scrutiny as potentially inadequate safeguards when transferring data to China, given the country's legal framework requiring companies to share data with government authorities.

Evidence of extensive government access to user data emerges from Xiaomi's transparency reports, which document thousands of requests from Chinese authorities with an almost 100% compliance rate. These reports indicate substantially higher data requests from Chinese authorities compared to European counterparts during identical periods.

Corporate structure investigations reveal concerning patterns. TikTok's claimed Irish headquarters shares an address with 628 other companies, including firms offering "EU Representative services." This arrangement raises questions about the genuine independence of European operations from Chinese control.

The specific practices under scrutiny include ByteDance's maintained control from China over TikTok operations, with employees reportedly still working under Beijing-based management despite claimed separation. Similarly, AliExpress processes European customer data through multiple entities, including Chinese-based companies, while SHEIN's corporate structure includes Chinese subsidiaries with direct access to European user data.

Under current EU privacy law, personal data transfers outside the European Economic Area require the receiving country to ensure an "adequate level of protection." China has not received such an adequacy decision from the European Commission, making these data transfers potentially problematic under existing regulations.

The financial implications could be substantial. If found in violation, companies could face fines up to 4% of their global annual revenue. For AliExpress parent company Alibaba, this could mean penalties up to €147 million based on annual revenue of €3.68 billion. Temu's parent company PDD Holdings might face fines up to €1.35 billion on revenue of €33.84 billion.

These complaints represent a significant escalation in European data protection enforcement. Previous cases targeting data flows to the United States led to the invalidation of multiple EU-US data transfer frameworks by the Court of Justice of the European Union. The current complaints raise similar surveillance power concerns but within China's legal framework which, according to the filing documents, provides even fewer protections for personal data than U.S. laws.

The data protection authorities must now investigate these complaints and determine compliance with the EU's General Data Protection Regulation (GDPR). Previous European court decisions have established that supervisory authorities have a duty to act when presented with evidence of privacy violations.

This legal challenge emerges as part of a broader global trend toward stronger data sovereignty requirements and increased scrutiny of international data flows, particularly involving companies operating under different legal frameworks and privacy standards.