Austrian privacy advocates, noyb (None of Your Business), lodged six data protection complaints in five European countries against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi on Thursday claiming the Chinese tech giants are unlawfully sending Europeans’ data to China.

Noyb has asked Data Protection Authorities to order the companies to suspend the data transfers to China and to slap fines on them. 

Under EU law, personal data can only be transferred to a third country if that country is deemed to provide adequate levels of protection or if special agreements are in place. Countries such as Canada, Japan, Israel, and South Korea have been granted “adequacy decisions”, meaning they meet the EU’s standards. In other cases, companies can pledge to safeguard data according to EU guidelines. 

However, noyb argues that China’s authoritarian government and lack of independent oversight pose a significant risk to the fundamental rights of European users. According to the group, China’s legal framework fails to prevent authorities from accessing citizens’ data, making the transfer of European data to China a major privacy concern. 

Noyb claims that AliExpress, SHEIN, TikTok and Xiaomi admitted to transmitting data to China in their privacy policy. Meanwhile Temu and WeChat reportedly mention transfers to third countries, which noyb believes is China.  

The privacy advocate had previously requested access to information under GDPR from these companies, but claims none complied with the demand. 

All six companies were contacted by Euronews for comment, but only Xiaomi and TikTok replied. A spokeperson for Xiaomi stated that “Respecting user privacy has always been among Xiaomi’s core values (…)Our privacy policy is developed to comply with applicable regulations such as the GDPR”. The company’s spokesperson told Euronews that the tech firm was willing to fully cooperate with the authorities to resolve the matter. 

TikTok stated that it has never shared, nor has it been asked to share, European user data with the Chinese government, and emphasised that it would not comply if such a request were made. The company assured Euronews of its high standards in data security, adding that these standards go beyond the requirements set by the GDPR.

The complaints are now in the hands of data protection authorities in Austria, Belgium, Greece, Italy and the Netherlands. If found guilty of breaching GDPR, the companies could face fines of up to 4% of their global turnover.