© GDPR EU 2025. All rights reserved.
Chinese Tech Giants Under Fire: Complaints Over Data Transfers to China
Chinese tech companies like TikTok and Xiaomi face GDPR complaints over unlawful EU data transfers. Learn about the allegations, risks to data privacy, and potential fines.
Chinese technology giants, including TikTok, Xiaomi, and Shein, are facing mounting scrutiny as GDPR complaints highlight alleged unlawful data transfers from the European Union to China. These accusations have reignited debates about data privacy and security, particularly concerning the transparency of cross-border data management. The issue underscores the growing tension between global technology firms and stringent European data protection laws. Advocacy groups and regulators are now calling for greater accountability to safeguard the personal information of EU citizens.
Table of Contents
The latest complaints, filed by the prominent advocacy group Noyb (None of Your Business), centre on accusations that Chinese companies have been transferring user data from the EU to China without adhering to GDPR standards. According to Noyb, these firms are exploiting legal loopholes, leaving EU citizens vulnerable due to the absence of comprehensive data protection frameworks in China. TikTok, for instance, has been criticised for its handling of user data despite claiming compliance with GDPR regulations.
Max Schrems, the founder of Noyb and a vocal advocate for stricter data privacy enforcement, has stated that these practices expose millions of Europeans to potential surveillance and misuse of their personal information. “The lack of protections for personal data in China creates a significant vulnerability for millions of EU users,” Schrems said in a recent statement. Regulators, meanwhile, have reiterated the critical need for compliance, pointing to the overarching importance of trust in data-driven economies.
The transfer of personal data from the EU to jurisdictions like China—where data protection laws are minimal or non-existent—raises significant risks. EU citizens’ personal information may be misused, shared without consent, or subjected to state surveillance. These risks are exacerbated by the lack of transparency around how companies manage and store this data. For instance, reports have surfaced suggesting that some firms fail to disclose the extent of their data-sharing practices, further complicating efforts to hold them accountable.
A Euronews investigation recently underscored the importance of addressing these vulnerabilities, warning that the absence of robust data protection measures could undermine consumer trust and compromise digital security across Europe. Advocacy groups and legal experts are now urging regulators to prioritise investigations into these alleged violations and ensure that appropriate sanctions are enforced where necessary.
TikTok has sought to address concerns by launching “Project Clover,” a strategy aimed at storing European user data within data centres located in the EU. The company maintains that it prioritises privacy and compliance, arguing that its initiatives are designed to meet GDPR requirements. However, critics remain sceptical, pointing to previous incidents where TikTok faced fines for non-compliance with EU data protection laws.
Xiaomi has also issued a robust defence, asserting that its internal policies are aligned with GDPR standards. The company has dismissed the allegations as unfounded, emphasising its commitment to lawful data handling practices. Despite these reassurances, scrutiny from regulators and advocacy groups continues to mount, with calls for independent audits to verify compliance.
Under GDPR, companies engaged in cross-border data transfers must demonstrate that adequate protections are in place to safeguard personal information. These requirements are particularly stringent for transfers to countries outside the EU, such as China, where privacy laws often fall short of European standards. Failure to comply can result in severe penalties, including fines of up to 4% of a company’s global annual turnover.
The potential financial repercussions for companies found in violation of GDPR are significant. Recent cases, such as Meta’s €1.2 billion fine for unlawful data transfers to the US, highlight the regulatory appetite for enforcing compliance. Should the allegations against TikTok, Xiaomi, and others be substantiated, these companies could face similar financial and reputational consequences. Such penalties serve not only as a deterrent but also as a stark reminder of the importance of adhering to GDPR regulations.
For European businesses, these high-profile cases underline the critical importance of rigorous compliance with GDPR. Companies must take proactive steps to review their data-sharing agreements and ensure that their operations meet the stringent requirements set by EU regulators. This includes conducting regular compliance audits, identifying vulnerabilities, and implementing measures to mitigate risks associated with international data transfers.
Businesses that have adopted comprehensive data protection measures have successfully navigated the complexities of GDPR compliance. These examples illustrate how organisations can build trust with their customers while avoiding the pitfalls of regulatory violations. For many companies, the focus must now shift towards adopting a proactive approach to data privacy, recognising that non-compliance carries significant financial and reputational risks.
The GDPR complaints against Chinese tech giants serve as a timely reminder of the ongoing challenges in protecting personal data in an increasingly interconnected world. These developments underscore the need for businesses to prioritise compliance, not just to avoid penalties but to safeguard the trust of their customers.
