Known primarily for being a perpetual thorn in Meta/Facebook’s side, EU privacy group noyb has a new target: China-based apps engaging in international data transfers. The group has filed privacy complaints against six of the country’s biggest names, including TikTok and Temu.
China has not received an adequacy decision for international data transfers due to known and expected access by the government. Nevertheless, four of the apps are openly transferring user data back to China and the other two make use of an unspecified “third country.”
noyb privacy complaints seek immediate suspension of data transfers
The six apps that the noyb privacy complaints are targeting are TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi. Each of the complaints has been filed in different EU countries, with the exception of Greece being used for both TikTok and Xiaomi.
The privacy complaints are centered on China’s national security laws, which essentially allow warrantless access to any data stored on private servers within the country. Companies engaging in data transfers to China thus cannot ensure that parity with EU privacy requirements is being achieved, as non-compliance is not really an option. Some companies have been able to maintain data transfers to “inadequate” partners via the use of “Standard Contractual Clauses” (SCCs), but the totalism of China’s laws preclude that possibility.
Nevertheless, noyb says that company privacy statements indicate that four of the apps (AliExpress, SHEIN, TikTok and Xiaomi) do engage in data transfers back to China. The other two, Temu and WeChat, say that they transfer data to unspecified “third countries” (which may include China).
The noyb privacy complaints are seeking immediate suspension of data transfers by these apps, GDPR fines and a mandate to bring their data processing and protection practices into compliance.
Already struggling with regulation in the US, Chinese apps face new wave of scrutiny in Europe
This is the first of noyb’s privacy complaints to be directed against China-based firms. Chinese apps would appear to be an obvious target for GDPR complaints, but have seen relatively little activity thus far as compared to the likes of Meta, Google and Apple. The companies in this complaint generally do keep regional EU offices; mostly in Dublin, but Xiaomi has an office in The Hague and Tencent (Wechat) also works out of the Netherlands. Thus far the only app that has drawn some level of serious attention is TikTok, which is being investigated by the European Commission over possible manipulation of its algorithm by paid advertisers to interfere in EU elections.
TikTok’s most famous battle as of late has been in the United States, where original foe Donald Trump gave it new life upon taking office for the second time. The highly popular app had been forced to shut down in the country briefly as of January 19, under an order from the outgoing Biden administration. A new executive order from Trump has provided TikTok with more time to negotiate a US buyer, and the president also suggested that a joint partnership with at least 50% US ownership might be an acceptable arrangement. Though a number of high-profile names have been floated as potential buyers, there are strong indications that Microsoft has been in talks to purchase the video sharing app; with an expected asking price of over $100 billion if its algorithm is part of the package, the list of possible buyers is necessarily limited.
Should TikTok eventually be purchased by a US company, that could provide it with a means to address its issues with data transfers in the EU. The path forward is less clear for the other apps, as they may well be facing the same struggles that TikTok has been going through over the past several years. Temu’s explosion of popularity in the US has drawn regulatory scrutiny to it, and has been heavily criticized for burrowing deep into phones and gathering a vast range of user data. The app (along with SHEIN) has also drawn calls for investigations into the use of slave labor for some of its listed products, and the fact that some baby and toddler products offered on it do not meet US safety regulations.
Europe’s primary tool for regulating China-based apps to date has been the Digital Services Act rather than the GDPR. That means that an app must have over 45 million monthly users in the EU to be subject to its terms, but most of the apps featured in noyb’s privacy complaints have been clearing that bar for some time. That threshold designates an app or platform as a Very Large Online Platform (VLOP) which requires it to adopt additional risk assessment and mitigation measures. VLOPs can also be fined up to 6% of their global annual turnover for violations and the European Commission directly imposes these penalties, as compared to the sometimes contentious GDPR deliberation process.
