Sign in Subscribe
Data

Privacy advocates file GDPR complaints against major Chinese tech platforms

Three companies fail to provide required data access, violating fundamental European privacy rights.

Luis Rijo

9 min read
GDPR complaints filed against WeChat, AliExpress & TikTok for violating EU data access rights under Articles 12 & 15.
GDPR complaints filed against WeChat, AliExpress & TikTok for violating EU data access rights under Articles 12 & 15.

European privacy advocacy group noyb filed formal complaints against three major Chinese technology platforms on July 17, 2025, alleging systematic violations of data access rights under the General Data Protection Regulation (GDPR). The complaints target WeChat, AliExpress, and TikTok for failing to provide users with complete access to their personal data, as required under Article 15 GDPR.

According to the complaints filed with data protection authorities in the Netherlands, Belgium, and Greece, all three companies violated fundamental transparency requirements that allow European users to understand how their personal information is being processed. The organizations failed to respond adequately to access requests submitted months earlier, with WeChat completely ignoring user requests and the other platforms providing incomplete or technically defective responses.

PPC Land Newsletter

Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.

Subscribe

Summary

Who: European privacy advocacy group noyb filed complaints against Tencent International Service Europe B.V. (WeChat), Alibaba.com Singapore E-Commerce Private Limited (AliExpress), and ByteDance Ltd. (TikTok).

What: The complaints allege systematic violations of GDPR Articles 12 and 15, specifically failure to provide users with complete access to their personal data and information about data processing activities.

When: The complaints were filed on July 17, 2025, following months of inadequate responses to user access requests submitted earlier in 2025.

Where: Complaints were submitted to data protection authorities in the Netherlands (WeChat), Belgium (AliExpress), and Greece (TikTok), targeting companies with European operations.

Why: The violations prevent European users from exercising fundamental privacy rights, understanding how their data is processed, and verifying compliance with data transfer requirements, particularly regarding transfers to China where legal protections differ from European standards.

PPC Land Newsletter

Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.

Subscribe

WeChat maintains complete silence on data requests

Tencent International Service Europe B.V., the Dutch subsidiary responsible for WeChat operations in Europe, completely failed to respond to a user's data access request submitted six months prior, according to the complaint filed with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The complainant had specifically requested information about potential data transfers to China and other third countries through WeChat's data subject rights request form.

After six months of silence, WeChat responded only with instructions on using an "Export Personal Data" tool within the application, without providing any of the specific information required under GDPR Articles 15(1), (2), and (3). The complaint alleges this constitutes a violation of Article 15(1)(c) GDPR, which requires controllers to provide actual recipient identities when personal data has been disclosed.

The filing emphasizes that WeChat's approach violates Article 15(2) GDPR by failing to provide access to safeguards for transferring personal data to China as required under Article 46 GDPR. Additionally, the company violated Article 15(3) GDPR by not providing a copy of personal data undergoing processing.

AliExpress provides broken files, incomplete responses

Alibaba.com Singapore E-Commerce Private Limited faced similar allegations after providing a complainant with a defective data file that could only be opened once, according to the complaint filed with the Belgian Data Protection Authority. The user had initially attempted to download personal data through AliExpress's "Copy of Personal Data" feature but received a technically broken file.

When the complainant submitted a formal access request via email to DataProtection.AE@aliexpress.com, the company responded by referring back to its privacy policy and the same defective download tool. The complaint states that AliExpress violated Article 15(3) GDPR by failing to provide "a copy of the personal data undergoing processing" in a usable format.

The filing notes that providing a document accessible only once creates "an insurmountable obstacle to the Complainant's right of access" and prevents users from retaining copies for legal compliance purposes. AliExpress also failed to provide information about data transfers to China or safeguards protecting European user data in third countries.

TikTok delivers unstructured, incomprehensible data

ByteDance Ltd., TikTok's parent company, provided users with raw data in an unstructured format across multiple folders that was "not feasible for the complainant to understand," according to the complaint filed with the Hellenic Data Protection Authority. The platform's "Download your Data" feature delivered technical files lacking the specific information required under Article 15(1) GDPR.

The complaint alleges that TikTok failed to provide information about processing purposes, data categories, recipients, storage periods, rectification rights, complaint procedures, data sources, and automated decision-making processes. When the user submitted additional requests through TikTok's Global Privacy Requests form, the company responded by referring back to its privacy policy and the inadequate download tool.

TikTok's response violated Article 15(1)(c) GDPR by not providing actual recipient identities and Article 15(2) GDPR by failing to disclose information about international data transfers. The platform also violated Article 12(1) and (2) GDPR by not taking appropriate measures to provide requested communications and by making it difficult for users to exercise their rights.

The GDPR establishes fundamental rights for European users to access their personal data and understand how it is being processed. Article 15 requires controllers to provide specific information including processing purposes, data categories, recipients, storage periods, and sources of personal data. Article 12 mandates that controllers facilitate the exercise of data subject rights through transparent and accessible procedures.

The European Court of Justice has emphasized that the right of access serves to enable data subjects to "carry out the necessary checks" on data processing activities. The Court's ruling in RW v Österreichische Post AG established that controllers must provide "the actual identity of those recipients" when personal data has been disclosed, rather than general categories.

The European Data Protection Board's Guidelines 01/2022 on data subject rights specify that access responses must be "updated and tailored for the processing operations actually carried out with regard to the data subject." Generic privacy policy references do not satisfy these requirements.

Chinese platforms lag behind US counterparts

According to noyb data protection lawyer Kleanthi Sardeli, "Tech companies love collecting as much data about you as possible – but vehemently refuse to give you full access as required by EU law." The organization notes that most major technology companies have implemented automated tools for mass-scale GDPR compliance, making it technically straightforward to provide required access.

However, the Chinese platforms failed to implement adequate systems despite having European subsidiaries and processing significant volumes of European user data. The complaints highlight that these companies collect extensive personal information including registration data, location information, communication metadata, profile data, and contact lists.

The violations are particularly significant given ongoing concerns about data transfers to China. European law requires that data transfers to third countries include adequate safeguards, as Chinese laws do not limit government access to personal data stored within Chinese jurisdiction.

Enforcement patterns reveal regulatory gaps

These complaints follow a broader pattern of inconsistent GDPR enforcement across European Union member states. Recent analysis shows that while authorities have imposed over 6,680 fines totaling €4.2 billion since GDPR implementation, enforcement varies significantly between countries and platforms.

The marketing industry faces particular challenges as privacy advocacy groups pursue court challenges against data protection authorities over inconsistent enforcement. German authorities have faced criticism for failing to act on complaints about unlawful consent systems, while Dutch authorities have been more active in establishing compliance frameworks for emerging technologies.

International data transfer compliance becomes critical

The complaints underscore growing tensions between privacy protection and international data flows, particularly to jurisdictions with different legal frameworks. Recent European Data Protection Board guidance on blockchain technologies emphasizes that data transfer requirements must be addressed "from the design phase" of new technologies.

For marketing professionals, these developments highlight the importance of understanding data transfer mechanisms when working with international platforms. The GDPR's Chapter V requirements apply even when processing involves decentralized systems or multiple jurisdictions, requiring careful assessment of safeguards and legal bases.

Requests for investigation and penalties

The complaints request that respective data protection authorities investigate the companies' processing activities, issue declaratory decisions finding GDPR violations, and order compliance with access requests. noyb has also suggested administrative fines under Articles 58(2)(i) and 83(5) GDPR, which can reach up to 4% of global annual revenue.

For AliExpress, with annual revenue of €3.68 billion, maximum penalties could reach €147 million. The complaints emphasize that violations of Article 15 GDPR carry particular gravity because they prevent users from exercising other fundamental rights under Articles 16-22 GDPR, including rectification, erasure, and restriction of processing.

The cases represent part of noyb's broader enforcement strategy following January 2025 complaints against the same companies for unlawful data transfers to China. According to the organization, SHEIN, Temu, and Xiaomi provided additional information during those proceedings, while TikTok, AliExpress, and WeChat continued violating GDPR requirements.

Terms Explained

Data Subject Rights: These fundamental GDPR provisions grant individuals comprehensive control over their personal data processing. For marketing teams, data subject rights include access (Article 15), rectification (Article 16), erasure (Article 17), and portability (Article 20). Understanding these rights is crucial for customer data platforms, email marketing systems, and advertising technology that processes personal information. Marketing operations must implement technical and organizational measures to respond to these requests within legally mandated timeframes, typically one month.

Cross-Border Data Processing: This refers to the transfer and processing of personal data across international boundaries, particularly relevant for global marketing campaigns. When marketing teams use international advertising platforms, customer data platforms, or analytics services, they must ensure compliance with GDPR Chapter V requirements. Cross-border processing involves complex legal assessments of adequacy decisions, standard contractual clauses, and binding corporate rules to protect European user data in third countries.

Automated Decision-Making: This encompasses algorithmic systems that make decisions about individuals without human intervention, increasingly common in marketing technology. Examples include programmatic advertising bid decisions, customer segmentation algorithms, and personalized content delivery systems. Article 22 GDPR provides specific protections against automated decision-making that produces legal or similarly significant effects, requiring marketing teams to implement safeguards, explanations, and human review processes for high-impact algorithmic decisions.

Data Controller vs Data Processor: This fundamental GDPR distinction determines legal responsibilities in marketing data relationships. Controllers determine the purposes and means of processing (typically the brand or marketing organization), while processors handle data on behalf of controllers (such as email service providers or analytics platforms). Marketing teams must clearly define these roles in vendor contracts, as controllers bear primary responsibility for GDPR compliance while processors have specific obligations regarding security, confidentiality, and data protection impact assessments.

Legitimate Interest vs Consent: These represent two primary legal bases for processing personal data in marketing contexts. Consent requires active, informed agreement from individuals and can be withdrawn at any time, making it suitable for email marketing and direct advertising. Legitimate interest allows processing when the controller's interests outweigh individual privacy rights, often used for analytics, fraud prevention, and certain advertising activities. Marketing teams must conduct balancing tests and provide clear opt-out mechanisms when relying on legitimate interest.

Data Minimization Principle: This core GDPR requirement mandates collecting and processing only personal data necessary for specific, explicit purposes. For marketing teams, data minimization means collecting essential customer information for defined campaigns rather than comprehensive data harvesting. This principle challenges traditional marketing approaches that emphasized maximum data collection, requiring teams to justify each data point's necessity and implement technical measures to limit processing scope.

Pseudonymisation: This data protection technique processes personal data to prevent attribution to specific individuals without additional information kept separately. Marketing applications use pseudonymisation to analyze customer behavior patterns and campaign effectiveness while protecting individual privacy through techniques like hashed customer identifiers, encrypted preference data, and tokenized transaction records. Pseudonymisation provides stronger legal protections than anonymization while maintaining analytical utility.

Privacy by Design: This approach requires implementing data protection measures during the initial design phases of marketing systems and processes rather than adding compliance features retroactively. For marketing technology development, privacy by design means building data protection into customer data platforms, analytics systems, and advertising tools from conception. This includes technical measures like encryption, access controls, and data retention automation, plus organizational measures like staff training and privacy impact assessments.

Standard Contractual Clauses (SCCs): These European Commission-approved contractual templates provide legal safeguards for international data transfers between organizations. Marketing teams using global advertising platforms, analytics services, or customer data platforms must ensure SCCs are properly implemented in vendor agreements. Modern SCCs include detailed provisions for data transfer impact assessments, security measures, and local law compliance that affect how marketing data flows internationally.

Data Protection Impact Assessment (DPIA): This systematic evaluation process identifies and mitigates privacy risks in high-risk data processing activities. Marketing teams must conduct DPIAs for large-scale profiling, automated decision-making systems, or innovative marketing technologies that could significantly impact individual privacy. The assessment process involves stakeholder consultation, risk analysis, and mitigation measures that inform technology selection, campaign design, and vendor management decisions in marketing operations.

Timeline