TikTok is among six Chinese tech companies hit with privacy complaints for sending Europeans’ personal data to China, breaking EU data transfer laws.
EU law is clear – the Austrian privacy group None of Your Business (stylized as noyb ), who filed the complaint, explains in a blog post – that data transfers outside the EU are only allowed if the destination country does not undermine the protection of data.
“Given that China is an authoritarian surveillance state, it is crystal clear that China does not offer the same level of data protection as the EU. The transfer of Europeans’ personal data is clearly illegal – and must be stopped immediately,” said Kleanthi Sardeli . data protection lawyer at noyb.
In addition to the popular video sharing app, noyb also filed GDPR complaints in five countries against AliExpress, SHEIN, Temu, WeChat and Xiaomi for illegal data transfers to China.
The danger of data transfers
According to the GDPR rules, data transfers outside of Europe should only occur as exceptions, subject to proof that the data is protected by strict requirements.
Companies are required to carry out an impact assessment, experts explain, to verify that European data is secured against the national laws of the destination country, which may require authorities to access data. This is clearly not the case for China, whose data protection laws are notorious for not restricting government access in any way.
In its transparency reports, the mobile manufacturer Xiaomi, for example, confirms how Chinese authorities can gain virtually unlimited access to users’ sensitive information.
“Chinese companies have no choice but to comply with government data access requests,” said Kleanthi Sardeli, data protection lawyer at noyb. “This means that European users’ data is at risk as long as it is sent abroad.”
Experts also pointed out that it is almost impossible for Europeans (and other foreign users) to exercise their data protection rights under Chinese laws. noyb actually reported how some European users’ requests to access their data under Article 15 of the GDPR were ignored by the aforementioned companies.
However, four of these companies (AliExpress, SHEIN, TikTok and Xiaomi) explicitly state that they send Europeans’ personal data to China in their privacy policies. Temu and WeChat only vaguely mention transfers to “third countries”.
This is why noyb has filed six privacy complaints for violating Chapter V of the GDPR on January 16, 2025. Experts are calling on data protection authorities across five EU countries to immediately order the suspension of data transfers to China. These are Greece (TikTok, Xiamoi), Italy (SHEIN), Belgium (AliExpress), Netherlands (WeChat) and Austria (Temu).
This is another reminder of the danger of data collection. We therefore advise everyone to be careful when sharing their personal data with Chinese apps, as well as other online services.
As a rule of thumb, you should actively minimize your data sharing by reviewing all your apps’ permissions and using security software like the best VPN apps every time you go online.
