Austrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users’ data to China.
The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data from being potentially accessed by the Chinese government. The complaints have been filed in Austria, Belgium, Greece, Italy, and the Netherlands.
“Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the E.U.,” Kleanthi Sardeli, data protection lawyer at noyb, said. “Transferring Europeans’ personal data is clearly unlawful – and must be terminated immediately.”
Noyb noted that the companies have no choice but to comply with Chinese authorities’ requests for access to data, and that Beijing lacks an independent data protection authority to raise issues related to government surveillance.
It also said none of the companies responded to its access requests under the General Data Protection Regulation (GDPR) to seek clarity on the nature of data transfers, and if they are transmitted to China or any other country outside of the E.U.
“According to their privacy policy, AliExpress, SHEIN, TikTok, and Xiaomi transfer data to China,” noyb said. “Temu and WeChat mention transfers to third countries. According to Temu and WeChat’s corporate structure, this most likely includes China.”
The development comes as ByteDance-owned TikTok is preparing to shut down its app in the U.S. starting January 19, 2025, when a federal ban on the social media platform is scheduled to come into effect.
In recent months, noyb has filed GDPR-related complaints against Google, Microsoft, and Mozilla for tracking users without consent through Privacy Sandbox, Xandr, and Firefox, respectively.
FTC Takes Actions Against General Motors and GoDaddy
The complaints also coincide with the U.S. Federal Trade Commission (FTC) banning automaker General Motors from disclosing data that it collects from drivers, including geolocations and driver behavior information, to consumer reporting agencies for five years for sharing such data without their affirmative consent.
According to a New York Times investigation in March 2024, the information was shared with two data brokers, LexisNexis Risk Solutions and Verisk, that worked with the insurance industry to generate risk profiles and increase auto insurance rates for some drivers.
In a statement, General Motors said it had already discontinued the “Smart Driver” data collection program in April 2024 “due to customer feedback.” The company said customers could access and delete their personal information through a U.S. Consumer Privacy Request Form on its website.
The FTC has also ordered website hosting provider GoDaddy to implement a comprehensive information security program to overhaul its “unreasonable security practices” that led to multiple customer data breaches between 2019 and 2022. GoDaddy has not admitted to any wrongdoing, nor has it been fined.
“GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services,” the FTC said.
The agency pointed out that GoDaddy failed to properly manage its assets and inventory; patch its software; assess risks to its hosting services; use multi-factor authentication; log security-related events; monitor for security threats; segment its network; and secure connections to services providing access to consumer data.
The consumer protection agency has since also announced amendments to online privacy safeguards for children under the Children’s Online Privacy Protection Rule (COPPA) that require obtaining verifiable parental consent prior to processing their data for advertising purposes or sharing it with third-parties.
Furthermore, the rule imposes new data retention policies, necessitating that companies only retain children’s information “for as long as reasonably necessary to fulfill a specific purpose for which it was collected.”
“By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission,” FTC Chair Lina M. Khan said.
Source: thehackernews.com/