Austrian non-profit privacy organization None of Your Business (noyb) filed complaints accusing companies such as TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi of violating data protection rules in the European Union by illegally transferring user data to China.
The advocacy group is seeking an immediate halt to such transfers, saying the companies in question cannot protect user data from potential access by the Chinese government. Complaints have been filed in Austria, Belgium, Greece, Italy and the Netherlands.
“Given that China is an authoritarian surveillance state, it is quite clear that China does not offer the same level of data protection as the EU,” Cleanti Sardelli, data protection lawyer at noyb said. “The transfer of personal data of Europeans is clearly illegal and must be stopped immediately.”
Neub noted that companies have no choice but to comply with Chinese authorities’ requests for access to data, and that Beijing lacks an independent data protection authority to raise questions about government surveillance.
It also said that none of the companies responded to General Data Protection Regulation (GDPR) access requests seeking clarity on the nature of data transfers and when they are transferred to China or any other country outside the EU.
“According to their privacy policies, AliExpress, SHEIN, TikTok and Xiaomi transfer data to China,” said noyb. “Temu and WeChat mention transfers to third countries. Based on the corporate structure of Temu and WeChat, this likely includes China.”
The development comes at a time when TikTok is owned by ByteDance preparation to shut down its program in the US from January 19, 2025, when the federal ban on the social media platform is scheduled to take effect.
In recent months, noyb has filed GDPR-related complaints Google, Microsoftand Mozilla to track users without consent through Privacy Sandbox, Xandr and Firefox respectively.
FTC takes action against General Motors and GoDaddy
The complaints also coincide with the US Federal Trade Commission (FTC) prohibition Automaker General Motors has refused to release data it collects from drivers, including geolocation and driver behavior information, to consumer reporting agencies for five years for sharing such data without their informed consent.
According to the materials of the New York Times investigation in March 2024 the information was shared with two data brokers, LexisNexis Risk Solutions and Verisk, which worked with the insurance industry to create risk profiles and raise auto insurance rates for certain drivers.
General Motors said in a statement said it had already discontinued the Smart Driver data collection program in April 2024 “due to customer feedback.” The company said customers can access and delete their personal information through a US Consumer Privacy Request Form on its website.
The FTC also ordered website hosting provider GoDaddy to implement a comprehensive information security program to review its “unreasonable security practices” that led to multiple customer data breaches between 2019 and 2022. GoDaddy is not admitted to any violations, and was not fined.
“GoDaddy failed to implement reasonable and appropriate security measures to protect and monitor its website hosting environment for security threats and misled customers about the extent to which their data was protected by the website hosting services,” the FTC said. said.
The agency noted that GoDaddy failed to properly manage its assets and inventory; fix the software; assess risks for hosting services; use multi-factor authentication; record security-related events; monitor security threats; segment your network; and secure connection to services that provide access to consumer data.
The consumer protection agency also announced amendments to children’s online privacy protections under the Children’s Online Privacy Protection Act (COPPA), which require verifiable parental consent before processing or sharing their data for advertising purposes. them to third parties.
In addition, the rule provides a new data retention policy that requires companies to retain information about children only “for as long as is reasonably necessary to fulfill the specific purpose for which it was collected.”
“By requiring parents to opt-in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active consent,” said FTC Chairwoman Lina M. Han. said.
