New TikTok threat as Chinese giants face GDPR probe

TikTok might have fought off a US ban – for now – but the social media giant is one of five Chinese tech companies to be facing potentially hefty fines for breaching GDPR for “unlawful” personal data transfers to China.

As the new Trump administration considers its options over the future of TikTok’s US operation, in the EU, the Max Schrems backed privacy organisation NOYB has filed six GDPR complaints in five countries against TikTok, AliExpress, Shein, Temu, WeChat and Xiaomi.

It is calling on the data protection authorities (DPAs) in Italy, Belgium, Greece, the Netherlands and Austria to immediately order the suspension of data transfers to China under Article 58(2)(j) as NOYB claims the country does not provide an essentially equivalent level of data protection under Article 44 and 46 GDPR.

While four of the companies openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”.

As none of the companies responded adequately to access requests, NOYB has taken this as an admission that this includes China.

However, data transfers outside the EU are only allowed if the destination country does not undermine the protection of data. And, NOYB argues that, given China is an “authoritarian surveillance state”, companies cannot realistically shield EU users’ data from access by the Chinese government.

After issues around US government access, the rise of Chinese apps opens a new front for EU data protection law, the organisation claims.

For countries like China, companies usually rely on “Standard Contractual Clauses” (SCCs) to transfer personal data. For this to be allowed, however, companies must conduct an impact assessment to verify that Europeans’ data is secure in the destination country and that the SCCs are not conflicting with national laws that require access to data.

NOYB also highlights that there is no adequacy decision with the EU and no company can provide such a guarantee. Chinese data protection laws do not limit the access by authorities in any way.

On top of that, it is almost impossible for foreign users to exercise their rights under Chinese data protection law. The country does not have a dedicated and independent data protection authority or another tribunal to raise government surveillance issues and the scope and application of the laws are unclear.

Working with NOYB, a number of individuals filed access requests under Article 15 GDPR with the above-mentioned companies to see if their data was sent to China or other countries outside the EU, yet none of the companies provided the legally required information about data transfers.

According to their privacy policies, AliExpress, Shein, TikTok and Xiaomi transfer data to China. Temu and WeChat mention transfers to third countries but this most likely includes China.

NOYB data protection lawyer Kleanthi Sardeli said: “Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful – and must be terminated immediately.

“Chinese companies have no choice but to comply with government requests for access to data. This means that European users’ data is at risk as long as it’s sent abroad. The competent authorities must act quickly to protect the fundamental rights of the people concerned.”

NOYB has now requested the relevant data protection authorities immediately order the suspension of data transfers to China under Article 58(2)(j) and is also calling on the companies to bring their processing into compliance with the GDPR.

The organisation is  also urging the DPAs to impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4% of the global revenue, equating to €1.35bn (€33.84bn in sales) for Temu, €720m (€17.9bn in sales) for TikTok and €147m (€3.68bn in sales) for AliExpress.

Whether this will be enough to scare marketers off is another matter. Despite its less than glowing data protection record, TikTok remains one of the fastest growing advertising channels in the world.

Related stories
Tech giants rake in half of digital spend as agencies fall
Mass GDPR complaints force Meta to pause AI data grab
Meta’s mega AI data grab sparks mass GDPR complaint
Germans back fight against ChatGPT data inaccuracies
Industry in peril as Schrems declares war on ChatGPT

Be the first to comment on "New TikTok threat as Chinese giants face GDPR probe"

Leave a comment