Six major Chinese tech companies, including TikTok, have come under fire for violating European privacy laws by sending users’ personal data to China. These companies, which include TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, have faced complaints due to their handling of data transfers. According to privacy experts, this practice not only breaks European data protection laws but also poses serious risks to users’ privacy and security.
Privacy Violations and Legal Breaches
The problem centers around how personal data of European users is handled. European Union (EU) laws, particularly the General Data Protection Regulation (GDPR), make it clear that companies can only transfer personal data outside of the EU under strict conditions. The law ensures that the destination country must offer an equivalent level of data protection to that of the EU. However, China’s data protection laws are not up to par with European standards.
China’s government is known to have strong control over companies within the country, often requiring them to provide user data when requested. This means that Chinese companies are obligated to hand over personal data, including sensitive information, to the Chinese authorities, which raises serious privacy concerns. Data protection experts argue that this situation leaves European users vulnerable to privacy violations since their personal information could be accessed without proper safeguards.
Meta Faces €91 Million Fine from Ireland Over GDPR Violation
How These Companies Are Involved
The companies in question have all been accused of transferring Europeans’ personal data to China without properly assessing the risks or ensuring that data protection measures were in place. In fact, four of the six companies (AliExpress, SHEIN, TikTok, and Xiaomi) openly acknowledge in their privacy policies that they send personal data to China. These companies have been under scrutiny for making these transfers without providing adequate protection for the data once it crosses borders.
On the other hand, Temu and WeChat, two other companies named in the complaints, are less clear. They only mention vague transfers to “third countries,” but do not specifically identify China. This lack of transparency has raised further concerns about how personal data is handled by these platforms.
According to experts, these data transfers violate GDPR, which states that companies need to show they have conducted a thorough impact assessment before sending data to a country outside the EU. The companies must prove that the data will remain protected against any potential misuse or unwarranted access by foreign authorities. Unfortunately, China’s policies do not offer such guarantees, making it impossible to ensure that Europeans’ personal data remains safe once transferred there.
The Future of Data Protection in India: Key Insights from the Draft Rules
The Dangers of Data Transfers to China
One of the main concerns is that China’s government has broad powers over local companies, and it can access personal data from these companies without needing to provide clear reasons. Xiaomi, for example, has stated in its transparency reports that Chinese authorities can obtain access to vast amounts of sensitive information about users. This is a direct violation of the principle of data protection, which states that individuals should have control over how their personal data is used and shared.
Moreover, European users face significant challenges when trying to exercise their rights under the GDPR. In many cases, requests to access personal data or request its deletion have been ignored by these companies. For example, noyb, the privacy advocacy group behind the complaints, found that several users’ requests to access their data were either delayed or completely ignored.
These violations have prompted legal action. The Austrian-based privacy group noyb filed formal complaints against the six companies for breaching Chapter V of the GDPR, which deals specifically with the transfer of personal data outside the EU. The complaints were filed in January 2025, and authorities in five European countries—Greece, Italy, Belgium, the Netherlands, and Austria—are being asked to intervene and suspend the data transfers to China.
