Four of these companies admit to sending personal data of Europeans to China, while the other two speak of transfers to unspecified ‘third countries’, which are assumed to include China. However, according to EU law, data transfers outside the EU are only allowed if the destination country guarantees an equivalent level of protection. Since China, as an authoritarian surveillance state, does not offer such guarantees, it is unlikely that companies can prevent the Chinese government’s access to European users’ data. After the issues of data access by the US, the rise of Chinese apps represents a new challenge for data protection law in Europe.

Complaints filed in five countries

NOYB filed 6 complaints in Greece, Italy, Belgium, the Netherlands and Austria, asking the data protection authorities to immediately suspend transfers to China under Article 58(2)(j) of the GDPR, the European regulation governing data protection and privacy, guaranteeing rights and controls for EU citizens.

The complaints also call for companies to comply with the GDPR and for authorities to impose administrative fines to prevent further violations. The fines could reach 4 per cent of global turnover, equivalent to EUR 147 million for AliExpress and EUR 1.35 billion for Temu.

Article 58(2)(j) of the GDPR empowers the supervisory authorities to:

“suspend data flows to a recipient in a third country or to an international organisation.”

This tool is used when a transfer of personal data to countries outside the EU, or international organisations, violates the provisions of the GDPR, in particular those relating to data protection and security guaranteed in the country of destination. In the context of the complaints filed by NOYB, this provision has been invoked to request the suspension of personal data transfers to China, which is considered a country that does not offer a level of protection equivalent to the European one.

Data transfers outside the EU only in exceptional cases

Under the GDPR, companies may not transfer the personal data of European citizens outside the EU. However, if this is necessary, they must comply with stringent requirements to ensure that the data remains adequately protected.

For countries like China, which do not have an adequacy decision from the European Commission, companies often rely on Standard Contractual Clauses (SCC). These clauses oblige the recipient to comply with the protections provided by the GDPR, even outside the EU. To be authorised, it is mandatory to conduct an impact assessment that confirms the security of the data in the destination country and ensures that SCCs do not conflict with local regulations, such as those mandating access to data by government authorities.

However, in countries with authoritarian regimes, such as China, where laws oblige companies to share data with the government, ensuring compliance with European protections becomes virtually impossible. As a result, such transfers often fail to comply with the GDPR.

Kleanthi Sardeli, data protection lawyer at NOYB:

“Since China is an authoritarian surveillance state, it clearly does not offer the same level of data protection as the EU. The transfers of Europeans’ personal data are clearly illegal and must be stopped immediately.”

What is NOYB

NOYB (an acronym for ‘None Of Your Business’) is a European non-profit organisation specialising in data protection and privacy. Founded in 2017 by Austrian activist Max Schrems, NOYB focuses on enforcement and compliance with the General Data Protection Regulation (GDPR) and other privacy laws, promoting users’ rights against the misuse of their personal data by companies and organisations.

The name ‘None Of Your Business’ reflects the group’s philosophy: personal data belongs to individuals, and no company or entity should abuse it.

Significant results

NOYB is known for filing several high-profile lawsuits, such as those against Facebook, Google, and other large technology companies. Among the best known cases are the lawsuits that led to the invalidation of two EU-US data transfer agreements: the Privacy Shield (2020) and the Safe Harbor (2015).

High risk of data access by authorities

Xiaomi’s transparency reports confirm the risk of large-scale requests from Chinese authorities to access personal data, compared to a small number of requests from EU/EEA authorities during the same period. Moreover, Xiaomi almost always complies (or has to comply) with such requests. Moreover, it is almost impossible for foreign users to exercise their rights under Chinese data protection law. There is no independent data protection authority or dedicated court, and the scope of the laws is unclear.

User access requests ignored

The reported companies did not provide the information required by Article 15 of the GDPR, which covers data transfers. However, the privacy policies of AliExpress, SHEIN, TikTok and Xiaomi explicitly mention transfers to China. Temu and WeChat, on the other hand, mention transfers to ‘third countries’ which, based on their corporate structure, probably include China.

Kleanthi Sardeli:

“Chinese companies have no choice: they have to comply with government access requests. This means that European users’ data is at risk as long as it is sent abroad. The relevant authorities must act quickly to protect the fundamental rights of those involved.”