[German]The data protection activists from Austrian noyb have filed complaints in European countries against the Chinese companies TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi. The issue is the unlawful transfer of user data to China, which the companies openly admit.
Advertising
Data transfer of personal data outside European Union
The General Data Protection Regulation (GDPR) clearly regulates that personal data of EU citizens may only be stored and used by companies within the EU. A transfer to countries outside the EU is only permitted with an adequacy decision.
The data protection activists at noyb write that companies are not allowed to transfer the data of European citizens to countries outside the EU. If this is nevertheless necessary, companies can invoke a number of exceptions. However, if this personal data is to be outsourced, companies must meet strict requirements for the protection of personal data.
For countries such as China, companies use standard contractual clauses, for example. This is a contract in which Chinese recipients undertake to comply with EU data protection regulations – also in China.
And this is probably the sticking point, as an impact assessment of the agreement by the company is a prerequisite for the data transfer to China. This assessment is intended to ensure that the data of European citizens is secure in the destination country and that the standard contractual clauses do not conflict with national laws that allow access to data.
However, China is an authoritarian surveillance state. There is therefore no EU adequacy decision, nor can companies guarantee the protection of personal data. Chinese data protection law does not restrict access to data by the authorities in any way.
Advertising
Kleanthi Sardeli, data protection lawyer at noyb, says: "China is an authoritarian surveillance state. It is therefore absolutely clear that China does not offer the same level of data protection as the EU. The transfer of Europeans' personal data is clearly unlawful and must be stopped immediately."
Data requests ends with no results
Noyb has looked at Xiaomi's transparency reports and found confirmation that Chinese authorities can in practice request (unrestricted) access to personal data and receive it. In addition, Xiaomi almost always complies (or has to comply) with requests from the Chinese authorities, writes noyb.
Furthermore, it is almost impossible for foreign data subjects to exercise their rights under Chinese data protection law. The country has neither an independent data protection authority nor any other body to which problems relating to state surveillance could be raised. Last but not least, the scope and application of Chinese laws are unclear.
Some people therefore wanted to find out what Chinese tech companies were doing with European data. The complainants therefore submitted requests for information under Article 15 GDPR to the aforementioned companies. They wanted to find out whether their data was being sent to China or other countries outside the EU.
Unfortunately, none of the companies provided the legally required information about data transfers. Noyb claims to know that AliExpress, SHEIN, TikTok and Xiaomi send data to China according to their privacy policy. Temu and WeChat mention transfers to third countries. According to their corporate structure, this most likely includes China.
Complaints filed in Europe
noyb has now filed six GDPR complaints in five European countries. In the complaints, the data subjects demand an immediate stop to data transfers to China in accordance with Article 58(2)(j), as the country does not offer an equivalent level of data protection in accordance with Articles 44 and 46 GDPR.
noyb is also calling on the aforementioned companies to bring their processing in line with the GDPR. Last but not least, to prevent similar infringements in the future, noyb proposes that the authorities impose an administrative fine. Such a fine can amount to up to 4% of global annual turnover, which can amount to 147 million euros for AliExpress (annual turnover of 3.68 billion euros) or 1.35 billion euros for Temu (annual turnover of 33.84 billion euros), for example.
- Complaint against TikTok in Greece
- Complaint against Xiaomi in Greece
- Complaint against SHEIN in Italy
- Complaint against AliExpress in Belgium
- Complaint against WeChat in the Netherlands
- Complaint against Temu in Austria
Advertising
