Transferring data across borders is a delicate task for companies operating within the European Union. The EU mandates stringent data privacy standards that only allow the transfer of customer information to other nations under specific conditions. A primary condition is that these countries must uphold EU-level privacy protections. Consequently, sending data to countries with intense state surveillance, like China, often treads on precarious legal grounds.
Despite these regulations, a number of tech companies continue transferring customer data to China. This situation is particularly common among Chinese tech giants with a global footprint. Notably, Xiaomi has admitted in its transparency report that Chinese authorities can, at times, gain unrestricted access to user data. This admission raises security concerns for European users regarding the protection of their personal information. In China, corporate data compliance to state demands is a legal necessity, given the absence of an independent authority for data privacy or protection.
In response, the data protection organization known as NOYB — short for “None of Your Business” — is actively pursuing transparency. They have sought access to information to ascertain whether these companies have been sending customer data outside the EU to countries like China. Despite having a legal duty to respond, none of the queried companies have complied with NOYB’s information requests.
As a result, NOYB has escalated the matter by filing formal data privacy complaints against several major companies, including TikTok, Aliexpress, Shein, Temu, WeChat, and Xiaomi, across five EU countries. NOYB is urging EU authorities to halt these illicit data transfers and is calling for significant fines as penalties. The suggested fines could reach as high as 4% of a company’s global revenue.
To illustrate the potential impact: AliExpress, with an annual revenue of €3.68 billion, could face fines nearing €147 million. Similarly, Temu’s substantial yearly earnings of €33.84 billion could translate to a remarkable €1.35 billion penalty under the EU’s rigorous data protection law. These potential fines underscore the critical issue of data privacy and compliance on a global stage, pushing companies towards greater accountability and improved data governance.
