noyb has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi over unlawful data transfers to China.
Four of the companies admit to sending Europeans’ personal data to China, while the other two reference transfers to unspecified “third countries,” likely including China.
Under EU law, data transfers outside the EU are only allowed if the destination country ensures data protection equivalent to EU standards. Given China’s status as an authoritarian surveillance state, it is nearly impossible to shield EU users’ data from access by Chinese authorities.
Xiaomi’s transparency reports reveal large-scale access to personal data by Chinese authorities, contrasting with minimal requests from EU/EEA authorities.
“We are aware of a complaint sent by a non-profit organisation to a national data protection authority in Europe and we are examining the allegations made therein. Respecting user privacy has always been among Xiaomi’s core values, which includes transparency, accountability, user control, security, and legal compliance,” Xiaomi EU spokesperson said.
“Our privacy policy is developed to comply with applicable regulations such as the GDPR. By complying with local applicable laws and regulations in markets where Xiaomi operates, user data are stored and processed in compliance with local laws. In case any national data protection authority will approach Xiaomi in the future due to this complaint, we will fully cooperate with the authority to resolve the matter,” Xiaomi EU spokesperson said.
Chinese data protection laws lack independent oversight, making it difficult for foreign users to assert their rights. None of the companies adequately responded to access requests filed under Article 15 GDPR, leaving complainants with insufficient information about data transfers.
noyb argues that transferring Europeans’ personal data to China is unlawful and must cease immediately. Complaints were filed in five European countries, requesting data protection authorities to suspend such transfers under GDPR and impose fines to deter future violations. Potential penalties include up to €147 million for AliExpress and €1.35 billion for Temu, reflecting their global revenues.
Baburajan Kizhakedath
