Austrian privacy non-profit None of Your Business (noyb) has lodged complaints against companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for breaching data protection laws in the European Union by unlawfully transferring user data to China.
The organization is requesting an immediate halt to such transfers, arguing that the companies in question are unable to protect user data from potential access by the Chinese government. The complaints have been filed in Austria, Belgium, Greece, Italy, and the Netherlands.
“Considering that China is an authoritarian surveillance state, it is evident that China does not provide the same level of data protection as the EU,” said Kleanthi Sardeli, a data protection lawyer at noyb. “The transfer of personal data of Europeans is clearly illegal and must be stopped immediately.”
Noyb highlighted that the companies are obligated to comply with requests from Chinese authorities for data access, and that Beijing lacks an independent data protection agency to address issues related to government surveillance.
The organization also mentioned that none of the companies responded to its data access requests under the General Data Protection Regulation (GDPR) to clarify the nature of data transfers, including whether they are sent to China or any other country outside the EU.
“According to their privacy policies, AliExpress, SHEIN, TikTok, and Xiaomi transfer data to China,” noyb explained. “Temu and WeChat mention transfers to third countries. Given the corporate structure of Temu and WeChat, this likely includes China.”
These actions come as TikTok, owned by ByteDance, prepares to cease operations in the US from January 19, 2025, following a federal ban on the social media platform.
In recent times, noyb has filed GDPR-related complaints against Google, Microsoft, and Mozilla for tracking users without consent through Privacy Sandbox, Xandr, and Firefox, respectively.
FTC Takes Actions Against General Motors and GoDaddy
The complaints coincide with the US Federal Trade Commission (FTC) prohibiting automaker General Motors from sharing data collected from drivers, such as geolocations and driving behavior information, with consumer reporting agencies without their explicit consent for a period of five years.
According to an investigation by The New York Times in March 2024, this information was shared with data brokers LexisNexis Risk Solutions and Verisk, who collaborated with the insurance industry to create risk profiles and raise auto insurance rates for certain drivers.
In a statement, General Motors announced that it had discontinued the “Smart Driver” data collection program in April 2024 due to customer feedback. The company stated that customers can access and delete their personal information through a US Consumer Privacy Request Form on its website.
Additionally, the FTC has mandated web hosting provider GoDaddy to implement a comprehensive information security program to address its inadequate security practices, which led to multiple customer data breaches between 2019 and 2022. GoDaddy has not admitted any wrongdoing or been fined.
The FTC criticized GoDaddy for failing to implement reasonable security measures, manage assets and inventory properly, patch software, assess risks to hosting services, use multi-factor authentication, log security-related events, monitor security threats, segment the network, and secure connections to services accessing consumer data.
Moreover, the FTC has introduced amendments to online privacy protections for children under the Children’s Online Privacy Protection Rule (COPPA), requiring verifiable parental consent before processing their data for advertising or sharing it with third parties.
“By necessitating parental consent for targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without explicit permission,” stated FTC Chair Lina M. Khan.
