GDPR Complaints Filed Against TikTok, Xiaomi, Over Data Transfers

European privacy advocacy group noyb has filed six General Data Protection Regulation (GDPR) complaints against major Chinese tech companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, for allegedly transferring Europeans' personal data to China in violation of EU law. The complaints, lodged in five different countries, argue that China's authoritarian surveillance state lacks adequate data protection safeguards, making such transfers inherently unlawful.

The complaints target:

• TikTok and Xiaomi in Greece
• SHEIN in Italy
• AliExpress in Belgium
• WeChat in the Netherlands
• Temu in Austria

According to noyb, four of these companies explicitly confirm in their privacy policies that they send users' personal data to China, while the other two—Temu and WeChat—admit to transferring data to unspecified “third countries.” Given their corporate structures, noyb assumes this includes China. The companies also allegedly failed to adequately respond to user access requests, making it unclear exactly how EU citizens' data is handled.

Why these transfers are illegal

Under GDPR rules, transferring personal data outside the EU is only permitted if the destination country ensures an equivalent level of data protection. In cases where this cannot be guaranteed, companies must rely on Standard Contractual Clauses (SCCs)—legal agreements where the receiving party pledges to uphold EU privacy protections. However, as noyb points out, Chinese law does not limit government access to data, making it impossible for companies to legally shield European users' data from state surveillance.

Kleanthi Sardeli, a data protection lawyer at noyb, stated:

“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn't offer the same level of data protection as the EU. Transferring Europeans' personal data is clearly unlawful – and must be terminated immediately.”

Xiaomi's own transparency reports provide further evidence of the risks involved. These documents reveal that Chinese authorities frequently request and obtain access to personal data, often at a scale far greater than similar requests from European authorities. Moreover, under Chinese law, companies must comply with government data access demands, leaving no recourse for EU users to challenge or limit surveillance.

Adding to the concerns, the six accused companies allegedly ignored Article 15 GDPR access requests, which legally require them to disclose whether users' data is being sent outside the EU. Their lack of transparency, combined with China's strict government control over corporate data, reinforces noyb's claims that EU citizens' personal information is at risk.

Potential consequences and next steps

With these complaints, noyb urges European data protection authorities (DPAs) to take immediate action, including:

• Suspending all data transfers to China under GDPR Article 58(2)(j).
• Compelling the companies to bring their data practices into compliance with EU law.
• Imposing administrative fines—which, under GDPR, can reach up to 4% of a company's global revenue.

If enforced, these penalties could be substantial. For example, AliExpress, which reported an annual revenue of €3.68 billion, could face fines of up to €147 million, while Temu, with €33.84 billion in revenue, could be fined as much as €1.35 billion.

This case marks a new front in EU data protection enforcement, following years of legal battles over U.S. government surveillance of European data. Now, with Chinese apps dominating global markets, noyb's complaints could set a precedent for how the EU regulates data flows to China, potentially reshaping how major platforms operate within Europe.

For now, EU users concerned about their data privacy should be cautious when using these platforms and take steps to protect their information by setting the strictest available privacy settings from within the apps.