NYOB raises alarm over Chinese companies’ data transfer practices

16 Jan 2025

Image: © Leni/Stock.adobe.com

Transferring EU users’ personal data to China is ‘clearly unlawful’, says NYOB lawyer.

Data privacy advocacy group NYOB has filed complaints against six Chinese business giants in the EU over their data transfer practices that allegedly break EU GDPR law.

In separate complaints filed in five EU countries, NYOB said the e-commerce website AliExpress, fast-fashion retailer Shein, social media giant TikTok and the phone maker Xiaomi openly admit to sending Europeans’ personal data to China, while Temu, another fast-fashion retailer, and WeChat, the messenger app, say they transfer EU data to undisclosed “third countries,” which NYOB assumes likely includes China.

The non-profit established by privacy advocate Max Schrems referred to China as an “authoritarian surveillance state” and said the companies cannot “realistically shield” EU user data from access by the Chinese government.

Article 15 of the GDPR assures data subjects access to information from the controller – or the organisations who have access to the EU user’s data – regarding where their data is and how it is processed, and NYOB, which filed for the information with the companies, claimed that none of them provided the legally required information about data transfer.

If companies transfer EU data outside the region, they are obligated to meet strict EU data protection regulations.

However, the non-profit alleged in its complaint that because “Chinese data protection laws do not limit the access by authorities in any way”, no company in the country can provide guarantees for EU user data protection.

Kleanthi Sardeli, a data protection lawyer at NYOB, said that “it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful – and must be terminated immediately.”

Moreover, phone maker Xiaomi, in its transparency report has admitted to complying with Chinese authorities’ requests for access to personal data on a “very large scale”.

However, in a statement to SiliconRepublic.com on 17 January, a Xiaomi spokesperson acknowledged the complaint and said: “Our privacy policy is developed to comply with applicable regulations such as the GDPR.

“By complying with local applicable laws and regulations in markets where Xiaomi operates, user data are stored and processed in compliance with local laws. In case any national data protection authority will approach Xiaomi in the future due to this complaint, we will fully cooperate with the authority to resolve the matter.”

Although Sardeli, in NYOB’s statement regarding the complaint said: “Chinese companies have no choice but to comply with government requests for access to data.

“This means that European users’ data is at risk as long as it’s sent abroad. The competent authorities must act quickly to protect the fundamental rights of the people concerned.”

In 2024, Nyob filed a complaint against Mozilla with the Austrian data protection authority for “quietly enabling” a feature on its Firefox browser that NOYB says tracks user behaviour without consent, while in 2023, it raised alarm over Ryanair’s use of “invasive” facial recognition technology.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Updated, 3:35pm, 17 January 2025: This article was updated to include Xiaomi’s statement regarding the NYOB complaint.

Suhasini Srinivasaragavan is a sci-tech reporter for Silicon Republic

editorial@siliconrepublic.com