TikTok, AliExpress, SHEIN, Temu, WeChat, And Xiaomi Hit With GDPR Complaints Over Personal Data Transfers To China
As you may have noticed, the tech world is full of news about TikTok, its ban, its reprieve and possible sale, and whether it represents a security threat to the US and its citizens. Of course, the question of whether TikTok is spying on its users and sending data back to China is broader than that. It can also be asked of the other rising Chinese tech companies, and not just in the US, but globally. That includes the EU, which has famously strict laws aiming to protect citizens’ personal data. So it was probably inevitable that complaints under the EU’s General Data Protection Regulation (GDPR) should be filed against Chinese companies. And it was probably inevitable that the person and organization to do so would be Max Schrems and his noyb.eu team that have weaponized the GDPR with huge success. Here’s their latest move, which is a significant one:
Today, noyb has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. While four of them openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”. As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China. But EU law is clear: data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data. Given that China is an authoritarian surveillance state, companies can’t realistically shield EU users’ data from access by the Chinese government.
The post on the noyb.eu site explains what Chinese companies need to do in order to make legal transfers of personal data from the EU:
For countries like China, companies usually rely on “Standard Contractual Clauses” (SCCs). SCCs are a contract in which the Chinese recipient pledges to follow EU protections – even in China. For this to be allowed, companies must conduct an impact assessment to verify that Europeans’ data is secure in the destination country and that the SCCs are not conflicting with national laws that require access to data. Given that China is an authoritarian surveillance state, there is no adequacy decision and no company can provide such a guarantee. Chinese data protection laws do not limit the access by authorities in any way.
It was the lack of an “adequacy decision” at the time that caught out the European Commission itself when it transferred EU personal data to the US, discussed in a recent Techdirt post. Alongside what noyb.eu calls “High risk of data access by [Chinese] authorities”, there is also the fact that it is almost impossible for foreign users to exercise their rights under Chinese data protection law. That law may exist, but:
The country doesn’t have a dedicated and independent data protection authority or another tribunal to raise government surveillance issues and the scope and application of the laws are unclear.
The final ground for noyb.eu’s complaint flows from a rather quixotic attempt to get Chinese tech companies to explain what happens to the personal data of EU citizens:
The complainants therefore filed access requests under Article 15 GDPR with the above-mentioned companies to see if their data was sent to China or other countries outside the EU. Unfortunately, none of the companies provided the legally required information about data transfers.
That’s hardly a surprise, but it does provide another ground for asking data protection authorities in five EU countries — Austria, Belgium, Greece, Italy and the Netherlands — to order the immediate suspension of data transfer to China by the tech companies involved. And then there is the matter of the fines that can be imposed under the GDPR:
Last but not least, noyb asks the DPAs to impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4% of the global revenue, which can e.g. amount to €147 million (annual revenue of €3.68 billion) for AliExpress or €1.35 billion (annual revenue of €33.84 billion) for Temu.
As noyb.eu puts it, “the rise of Chinese apps opens a new front for EU data protection law,” one that is likely to assume ever-greater importance as Chinese tech companies achieve growing success in global markets. Alongside the political battles in the US, this latest GDPR complaint by Schrems and his team is likely to be a key development in the privacy and tech worlds.