Noyb (None of Your Business), the data protection organization founded by Max Schrems, has filed complaints regarding six major Chinese companies, namely, TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi before the data protection authorities of Italy, Greece, Belgium, the Netherlands and Austria. Mirroring the complaints filed some years ago regarding data transfers to the US, the focus of these new complaints is on the transfer of data from the EU to China carried out by these companies, allegedly, without taking appropriate and sufficient measures to ensure a level of data protection that is essentially equivalent to the one laid down in the GDPR.
As we have learned from experience, while noyb has filed individual complaints against six companies, the resulting decisions from the concerned data protection authorities could have far-reaching consequences for data transfers to China and perhaps even to other countries.
Similarities to noyb’s US complaints
Reminiscing former complaints against US companies, the core of noyb’s complaints against the six Chinese companies is the alleged violation of Chapter V GDPR. According to Mr. Schrem’s organization the bespoke companies fail to provide sufficient safeguards to efficiently protect personal data that is subject to the GDPR from unwanted governmental access in China.
Indeed, Chapter V GDPR lays down that transfers to countries outside of the EU for which the Commission hasn’t adopted an adequacy decision, shall be secured by one of the transfer mechanisms provided for in such chapter. The purpose of adopting a transfer mechanism as provided by the GDPR is to ensure that the personal data transferred to the “inadequate country” receives nevertheless a level of protection which is essentially equivalent to that provided within the EU or within one of the countries for which the European Commission has adopted an adequacy decision.
Use of The New Standard Contractual Clauses as a Transfer Mechanism
In general, companies use the Standard Contractual Clauses for transfers to third countries, as adopted by the European Commission in 2021 as the preferred transfer mechanism. Unlike the previously adopted Standard Contractual Clauses, however, the 2021 version includes the obligation to contest requests for access to personal data covered by the GDPR by governmental authorities and, if that’s not possible, to inform the data exporter about such access by State authorities, if permitted by the applicable law. Another obligation included in the new Standard Contractual Clauses of 2021 which makes them even more complex, requires for data exporters – supported by data importers – to conduct a Transfer Impact Assessment (TIA) in order to evaluate the risks that the transfer to the third country would entail for the concerned data subjects. If the risk is high – as it allegedly is when local law allows State authorities to access personal data indiscriminately – further security measures shall be implemented or, if the risk is too high and can’t be remediated, the data transfer shall not be performed.
Are the New Standard Contractual Clauses sufficient in the case of Transfers to China?
In the case of China, the European Data Protection Board (EDPB) already expressed concerns regarding a low level of data protection and State access rights in 2021. As in the case of the noyb’s claims against US companies, in principle this should mean that the Standard Contractual Clauses alone, should not suffice to legitimize data transfers to China and that additional security measures shall be required, in particular to prevent access from Chinese State authorities. If this proves to be impossible, in particular because sufficient security measures are unavailable or impracticable, transfers of personal data subject to the GDPR to China shall be avoided. The latter is noyb’s preferred option considering that China is, according to their complaints, an “authoritarian surveillance state” where data could be accessed indiscriminately by authorities and where it would not be possible for data subjects to exercise their rights according to the GDPR.
Far-Reaching Consequences of the noyb Complaints
The claims filed by noyb could have a significant impact on TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi if the concerned data protection authorities determine violations of the GDPR. Not only could the Italian, Greek, Belgian, Dutch and Austrian data protection authorities temporarily prohibit data transfers to China by these six companies, such decisions could also indicate that data transfers to China – and perhaps to other countries – in the absence of sufficient supplementary protection measures, are generally not permissible under the GDPR. As a matter of fact, noyb has requested the concerned five data protection authorities to immediately suspend data transfers to China and to impose administrative fines on the six companies in scope.
Noyb’s new complaints are a reminder of the importance of complying with the applicable legal requirements for transfers to third countries. Not only are Standard Contractual Clauses a must-have but these shall be supplemented with sufficient security measures and a complete and detailed Transfer Impact Assessment, in the terms described above and, when risks are identified, alternatives to transfers outside of Europe shall be sought.