None of Your Business (NOYB), a prominent Austria-based advocacy group, filed GDPR complaints on Thursday against TikTok and five other Chinese companies for unlawfully sending Europeansโ personal data to China.
For those unaware, NOYB is a Vienna-based non-profit organization established in 2017 to advocate for data privacy rights and stronger data protection laws and regulations.
The organization is known for filing complaints against numerous U.S. tech giants like Apple, Alphabet, and Meta. This is the first complaint that the company has filed against Chinese firms.
The Vienna-based advocacy organization has filed six complaints against TikTok and Xiaomi in Greece, SHEIN in Italy, AliExpress in Belgium, WeChat in the Netherlands, and Temu in Austria for violating data protection regulations in the European Unionย (EU).
NOYB said that Alibaba’s e-commerce site AliExpress, retailer SHEIN, Chinese short-form video app TikTok, and phone maker Xiaomi have openly admitted to sending Europeansโ personal data to China, while retailer Temu and Tencent’s messenger app WeChat mentioned that they transfer data to undisclosed โthird countriesโ likely China.
Under the EUโs General Data Protection Regulation (GDPR) laws, data transfers outside the EU are permissible only if the destination country meets the EUโs strict data protection standards.
However, NOYB argues that Chinaโs authoritarian government and surveillance practices make it impossible for companies to shield European users’ data legally from state surveillance.
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful โ- and must be terminated immediately,” Kleanthi Sardeli, data protection lawyer at NOYB, said in a statement.
“As none of the companies responded adequately to the complainants’ access requests, we have to assume that this includes China. After issues around US government access, the rise of Chinese apps opens a new front for EU data protection law,” the statement added.
NOYB has urged European data protection authorities (DPAs) to take immediate action, including suspending data transfers to China under GDPR Article 58(2)(j) and requesting that companies bring their processing into compliance with the GDPR.
Additionally, imposing administrative fines under GDPR, which can reach up to 4% of each companyโs global revenue. This could mean fines up to โฌ147 millionย ( โฌ3.68 billion)ย for AliExpress or โฌ1.35 billionย (โฌ33.84 billion)ย for Temu can be enforced.
Reacting to the NOYB complaint, a Xiaomi spokesperson said that the company was aware of the complaint and is examining the allegations against them.
“By complying with applicable local laws and regulations in the markets where Xiaomi operates, user data is stored and processed in accordance with local laws,” the statement added.
“In the event that a national data protection authority approaches Xiaomi in the future due to this complaint, we will fully cooperate with the authority to resolve the issue.”
TikTok and other companies have yet to comment on the complaint.