Whose business is your personal data?

In January 2025, NOYB (None of Your Business), a non-profit organization based in Vienna, Austria (known for their legal battles against Meta and other U.S. companies) filed complaints against Chinese tech companies for the first time - AliExpress, SHEIN, Temu, TikTok, WeChat, and Xiaomi, for allegedly violating GDPR by unlawfully transferring European users’ personal data to China.

According to NOYB, AliExpress, SHEIN, TikTok, and Xiaomi explicitly state in their privacy policies that they transfer data to China. Temu and WeChat mention transfers to unspecified "third countries," which NOYB believes likely include China. The organization argues that transferring data to China is unlawful under GDPR, as the country does not provide an adequate level of data protection.

NOYB also highlights that none of the companies adequately responded to GDPR Article 15 access requests, which allow individuals to inquire about the processing and transfer of their personal data. In response, NOYB filed six complaints across five European countries, urging data protection authorities to suspend these data transfers and impose fines of up to 4% of the companies' global revenue (e.g. approx. €147 million for AliExpress or €1.35 billion for Temu).

This action underscores the challenges multinational companies face in complying with GDPR, especially when operating in countries with differing data protection standards.