The Austrian privacy advocacy organization None of Your Business (noyb) has filed formal complaints against several notable companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, asserting that these firms have breached data protection regulations established by the European Union by inappropriately transferring user data to China. These complaints, lodged in multiple EU countries including Austria, Belgium, Greece, Italy, and the Netherlands, call for an immediate halt to such data transfers.
According to the advocacy group, the companies involved cannot adequately protect user information from potential access by the Chinese government. Kleanthi Sardeli, a data protection lawyer at noyb, stressed the disparity in data protection between authoritarian regimes and the EU, underscoring the illegality of transferring personal data of European individuals to China.
Noyb has highlighted that the businesses in question are compelled to comply with requests from Chinese authorities for data access. Furthermore, it pointed out that China does not possess a robust independent data protection authority to address concerns related to government surveillance. The organization added that none of these companies responded to access inquiries under the General Data Protection Regulation (GDPR) which aimed to clarify the nature of data transfers beyond EU borders.
Specific claims from noyb indicate that according to the privacy policies of AliExpress, SHEIN, TikTok, and Xiaomi, data is transferred to China. Meanwhile, Temu and WeChat suggest that they may also send data to third countries, which likely includes China given their corporate structure.
Coinciding with these developments, TikTok, which is owned by ByteDance, is reportedly preparing to discontinue its app in the U.S. by January 19, 2025, ahead of a federal ban poised to take effect.
Noyb’s recent actions are part of a larger trend; in recent months, the organization has lodged complaints against major tech firms such as Google, Microsoft, and Mozilla for allegedly tracking users without proper consent through various online services.
FTC Takes Actions Against General Motors and GoDaddy
The scrutiny of data practices also extends to the U.S., where the Federal Trade Commission (FTC) has moved against General Motors for sharing sensitive driver data, including location and behavior patterns, with consumer reporting agencies without explicit consent from users. This ban will last five years and underscores the necessity of obtaining informed consent from users regarding the sharing of their information.
A March 2024 investigation by the New York Times revealed that such data was monetized by collaborating with data brokers LexisNexis Risk Solutions and Verisk, who used it to shape risk profiles and potentially inflate insurance premiums for drivers. General Motors has stated that it discontinued its “Smart Driver” data gathering initiative in response to customer feedback, now allowing individuals to access and delete their personal information via a designated privacy request form.
Additionally, the FTC has mandated that GoDaddy implement a comprehensive information security program to rectify lapses in safeguarding consumer data following multiple breaches that occurred from 2019 to 2022. Only recently did GoDaddy acknowledge the need for improvements to its security measures, despite denying wrongdoing.
The FTC outlined that GoDaddy’s failures included inadequate asset management, failure to patch software, and insufficient risk assessments concerning its hosting services. This lack of vigilance poses significant risks to customer data security, and the FTC is urging all digital service providers to enhance their privacy frameworks.
In line with these efforts, the FTC has also announced revisions to the Children’s Online Privacy Protection Rule (COPPA), necessitating verifiable parental consent before processing child data for advertising or sharing with third parties. Under the new regulations, companies must retain children’s information only as long as necessary for its original purpose.
FTC Chair Lina Khan emphasized that these amendments aim to safeguard children’s data from commercial exploitation by requiring parental opt-in consent for targeted advertising practices.
