In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
In the wake of fears about how the artificial intelligence (AI) model DeepSeek can be mandated to share data with Chinese intelligence authorities, a European non-profit has filed legal complaints against TikTok, AliExpress, Shein & Co, WeChat, Temu, and Xiaomi.
The complaints are for alleged breaches of the European General Data Protection and Regulation (GDPR) law.
American companies like Apple, Meta, and Microsoft have all faced legal consequences for breaching the GDPR, which is extremely strict legislation by international standards.
Now, with the complaints filed by the Austrian privacy non-profit None of Your Business (NOYB), Chinese companies are being put under the GDPR spotlight.
Techopedia explores the latest complaints and how security laws are increasingly rubbing up against China’s mode of operation as the worlds of business and legislation collide faster than ever.
Key Takeaways
- Six Chinese companies, including TikTok and Temu, face GDPR complaints for allegedly transferring user data to China.
- Chinese law allows the government to demand user data from these companies, raising surveillance fears.
- Companies could face fines of up to 4% of their global revenue if found guilty.
- Non-profit NOYB demands these companies stop transferring data to China and establish EU-based data centers.
World’s Privacy Laws vs. China
The non-profit NOYB says the six Chinese companies, TikTok, AliExpress, Shein & Co, WeChat, Temu, and Xiaomi, have breached the GDPR European law.
The law bans international companies from physically extracting European citizen data out of the country of origin to foreign data centers and servers.
The GDPR does make exceptions for transferring data out of European data centers and servers, but these need to go through strong compliance requirements, which NOYB says the companies have failed to do.
NOYB accused all six Chinese companies of “unlawful data transfers to China.”
With Chinese apps such as TikTok and AI models such as DeepSeek facing scrutiny in the U.S., Europe, and other countries, the Chinese government’s room for maneuver seems to be closing down.
Kleanthi Sardeli, data protection lawyer for NOYB, spoke about China as a surveillance state:
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the EU. Transferring Europeans’ personal data is clearly unlawful — and must be terminated immediately.”
In this report, we examine the complaints against the six Chinese companies and the maximum penalties of the GDPR to understand what is next.
6 Chinese Companies Face Hundreds of Millions in Possible GDPR Fines
The case started on January 16, when NOYB announced it had filed six GDPR complaints in five European countries.
In the complaints, NOYB requested authorities to “immediately order the suspension of data transfers to China,” adding that China does not provide essentially equivalent data protection.
NOYB wants the Chinese companies to bring their data centers and server infrastructure to the E.U. region to comply with GDPR demands.
The non-profit urged the European data protection authorities to fine TikTok, AliExpress, Shein & Co, WeChat, and Xiaomi. NOYB recommended the maximum GDPR fine available under Article 83(5) — 4% of a company’s global revenue.
The maximum GDPR fine for the alleged violation by AliExpress, with an annual revenue of over $3.7 billion (about €3.68 billion), would be approximately $151 million (about €147 million).
If found in breach, Temu, the Chinese online marketplace owned by PDD Holdings, would be fined about $139 million (€1.35 billion). Temu’s annual revenue is about $34 million (€33.84 billion).
Naturally, there is a long road to go before NOYB’s claims are tested.
NOYB also wants to find out what Chinese tech companies are doing with Europeans’ personal data, citing: “Under Article 15 GDPR with the above-mentioned companies to see if their data was sent to China or other countries outside the E.U.,” NOYB said.
To date, none of the six Chinese companies have provided information required by law about European data transfers.
“We still know that, according to their privacy policy, AliExpress, SHEIN, TikTok, and Xiaomi transfer data to China. Temu and WeChat mention transfers to third countries. According to Temu and WeChat’s corporate structure, this most likely includes China.”
NOYB’s lawyer said that the six Chinese companies have no choice but to comply with European government requests for access to data.
Can GDPR Fines Have Impact or Lead to E.U. App Bans?
While the GDPR and data authorities of the European Union mean business, the act itself is designed to trigger investigations, conduct legal processes, and reach a judgment criteria in favor or against a company for breaches, not to ban a company’s app.
The maximum penalty of the GDPR, as already mentioned, is a fine of 4% of the company’s total revenue. These maximum penalties are not uncommon.
For example:
- Amazon received a GDPR fine of $768.64 million (€746 million) for breaching the privacy law, in 2021. The fine was issued by the Luxembourg National Commission for Data Protection (CNPD).
- Meta, a company that has faced numerous GDPR legal cases, was also issued a historically high GDPR fine totaling $1.24 billion, imposed by the Irish Data Protection Commission (DPC) in 2023.
European data authorities are not legally empowered by the GDPR to do anything else but investigate and prosecute cases under the fine-reprimand model of the Act designed for deterrence. But does this work?
Billions in fines may sound like big and scary numbers for the average person, but for companies like Meta, they are pocket change. Many experts criticize the penalties of the GDPR, describing them as nothing but ‘a slap on the wrist’.
Often the cost of the fine for big tech companies is cheaper than the cost of complying with the GDPR. This could be a logical explanation as to why large companies are regularly found (or suspected to be) in breach.
One thing is clear: European data authorities enforcing the GDPR are not in the business of shutting down tech companies or issuing national or regional bans on applications. However, their investigations may trigger more serious cases, including criminal procedures.
Another problem that data authorities in Europe face is that GDPR cases are also not resolved with speed. Tech companies will appeal and delay GDPR court processes time and time again in a strategy to — well, buy time.
Additionally, the GDPR and E.U. data authorities face many challenges, such as a backlog of cases and a large amounts of complaints.
Data authorities taking tech companies to GDPR courts must also undertake the sophisticated and time-consuming task of investigating highly technical documentation and the digital operations of international corporations and massive companies — no easy task.
Understanding the Requests for Foreign Citizen Personal Data that China Makes
The Chinese government can legally require Chinese companies to hand over data and cooperate with the government. However, the specific nature of these requests is hardly ever documented.
While we may imagine that the Chinese government makes sporadic and specific data requests to national companies, mostly in dire national security situations, according to the Austrian NGO, this is not the case.
NOYB said documents by Xiaomi reveal that the China government does request access to personal data.
The non-profit said:
“Xiaomi’s transparency reports confirm this risk of Chinese authorities requesting and obtaining (unlimited) access to personal data in practice. According to these documents, authorities request access to personal data on a very large scale.”
NOYB alleged that companies like Xiaomi comply with Chinese authorities’ requests all of the time.
“On top of that, it is almost impossible for foreign users to exercise their rights under Chinese data protection law,” NOYB said.
China doesn’t have an independent data protection authority or any other tribunal to raise government surveillance issues.
The Bottom Line
The NOYB complaints against the six Chinese giants not only question these companies’ operations in Europe but also have the potential to reveal a most obfuscated issue — how the Chinese government requests data from companies operating abroad.
It is true that the GDPR process has limitations on maximum penalties, with 4% of global revenue being the maximum. It is also accurate to say that no GDPR case has ended with the complete shutdown of a company’s operations in Europe.
However, some cases have prevented certain products, services, and marketplaces from conducting business in the region.
While none of the six companies is currently at risk of being banned in Europe, the GDPR and data protection authorities of the E.U. should not be underestimated.
A legal process against these companies has been requested, and while it may be a long time before a final ruling, the GDPR mechanisms investigating China have been set in motion.
FAQs
What Chinese companies are facing GDPR complaints?
Why is GDPR investigating these Chinese apps?
What is the maximum GDPR fine a company can receive?
Has GDPR ever banned an app in the EU?
How long do GDPR investigations take?
Could TikTok or Temu be forced to leave Europe?
References
- Apple fined €8M in French privacy case (Politico)
- Meta Fined $1.3 Billion for Violating E.U. Data Privacy Rules (The New York Times)
- Microsoft Sets Aside $425M for Anticipated GDPR Fine (BankInfoSecurity)
- TikTok, AliExpress, SHEIN & Co surrender Europeans’ data to authoritarian China (Noyb)
- Amazon hit with record EU data privacy fine (Reuters)
- 1.2 billion euro fine for Facebook as a result of EDPB binding decision (European Data Protection Board)
- GDPR in practice – Experiences of data protection authorities (European Union Agency for Fundamental Rights)
- Xiaomi Trust Center (Trust Mi)
