TikTok, AliExpress, WeChat: Charges for failure to comply with GDPR

The allegations, which will have to be confirmed in court, relate to failure to provide full and understandable access to personal data (Art. 15 GDPR) and lack of transparency (Art. 12 GDPR). These Chinese apps allegedly provided incomplete data, corrupted files, or ignored requests altogether, preventing users from verifying the lawfulness of the processing of their data. The context is exacerbated by data transfers to China, where data protection allegedly falls short of EU standards. noyb calls on European authorities to impose significant sanctions, stressing the importance of strict enforcement of the GDPR to protect users' digital rights.

In a digital age where personal data management has become crucial, the European Union's General Data Protection Regulation (GDPR) stands as a bulwark for citizens' rights. However, despite the widespread adoption of automated tools for managing data access requests, many leading tech companies, particularly those based in China, continue to exhibit concerning non-compliance. The European non-profit organization noyb (European Center for Digital Rights), founded in 2017 and dedicated to protecting digital rights and privacy, has recently taken significant legal action. On July 17, noyb filed three formal complaints with the data protection authorities (DPAs) in Belgium, Greece, and the Netherlands against TikTok, AliExpress, and WeChat. The accusations concern alleged serious violations of Articles 12 (transparency of communications) and 15 (right of access by the data subject) of the GDPR. These alleged violations include the provision of incomplete, incomprehensible data, or even the complete disregard of access requests, potentially making it impossible for users to verify the lawfulness of their data processing. The context of these complaints is further exacerbated by the issue of data transfers to China, a country whose legislation would not guarantee an adequate level of data protection compared to EU standards. noyb asks the DPAs to issue declaratory decisions of violation, order compliance, and impose administrative fines that could reach 4% of the companies' global turnover, as in the case of AliExpress, for which a potential fine of 147 million euros is estimated.

The Denied Right of Access: Incomplete, Incomprehensible Data, and Total Omissions

The GDPR clearly states that data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, to obtain access to the personal data and a range of detailed information (Article 15). This includes not only a copy of the data but also details on the purposes of processing, the categories of personal data concerned, the recipients, the retention period, and the existence of automated decision-making processes. Investigations conducted by noyb, supported by the complaint documents, indicate that TikTok, AliExpress, and WeChat have systematically failed to comply with these fundamental obligations.

• TikTok. Despite the availability of a "download your data" tool, TikTok allegedly provided the complainant, assisted by noyb, with only a portion of their personal data in an unstructured format, consisting of several poorly organized and incomplete text (txt) files. Some of these files were allegedly even empty, potentially making it impossible for the user to fully understand the information provided and, consequently, to verify the lawfulness of their data processing. TikTok's subsequent response to a more specific access request allegedly merely redirected the complainant to the general privacy policy, without providing personalized information as required by Article 15(1), (2), and (3) of the GDPR.

• AliExpress. The situation with AliExpress would be equally problematic. The company allegedly provided a file that, despite containing a "Copy of Personal Data," was corrupted and could only be opened once. This limitation would have prevented the complainant, assisted by noyb, from any subsequent consultation or in-depth analysis of the document, effectively nullifying the right of access. As highlighted in noyb's complaint, such an option would be "particularly problematic because it allows for a one-time reading of the document, and hinders any further situation where the document should have been consulted, for instance for legal compliance purposes." In this case too, AliExpress's subsequent responses allegedly merely referred generically to its privacy policy, without providing the specific information requested.

• WeChat. WeChat's conduct would stand out for a complete disregard of obligations. After submitting an access request via the dedicated form, the complainant, with the support of noyb, allegedly received a response from Tencent (WeChat's parent company) only six months later. This delayed response allegedly merely explained how to use the "Export Personal Data" tool within the application, without providing any of the detailed information required by Articles 15(1), (2), and (3) of the GDPR. This inaction and the subsequent generic response would constitute a clear violation of Article 12(3) and (4) of the GDPR, which require controllers to respond to requests without undue delay and, in any case, within one month, providing reasons in case of no action.

As Kleanthi Sardeli, a data protection lawyer at noyb, emphasizes: "Tech companies love to collect as much data about you as possible, but vehemently refuse to give you full access as required by EU law." This statement encapsulates the frustration of many users who face insurmountable barriers when trying to exercise their fundamental rights.

The Context of Data Transfers to China: A Matter of Digital Sovereignty and Reasons for Non-Compliance

The data access requests forming the basis of the recent complaints filed by noyb are not isolated, but are part of a broader concern regarding international data transfers. As early as January 2025, noyb had initiated a series of complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, challenging data transfers to China that would have been illegal.

According to the GDPR, data transfers outside the European Union are permitted only if the destination country guarantees a "substantially equivalent" level of data protection to that of the EU, or if adequate safeguards are in place (Article 46 GDPR). Chinese legislation, however, would not impose significant restrictions on government authorities' access to personal data. This would mean that companies transferring EU user data to China could not realistically guarantee that such data is protected from government access, thereby jeopardizing the fundamental rights and freedoms of data subjects.

During the initial proceedings, some of the companies involved, such as SHEIN, Temu, and Xiaomi, showed some openness, providing the complainants with additional information. This suggests a potential willingness to cooperate or at least an acknowledgment of the concerns raised. In contrast, TikTok, AliExpress, and WeChat would have continued to violate the GDPR, demonstrating a persistent reluctance to comply with European regulations. Their conduct, in this sense, would further exacerbate the perception that Chinese apps may be even less attentive to user rights than US providers, who, despite their challenges, have implemented automated tools for large-scale GDPR requests.

The possible reasons behind this alleged non-compliance are manifold. These could include:

• Technical challenges: Managing a huge volume of access requests from a global user base can be technically complex, requiring robust infrastructure for extracting, formatting, and securely delivering data. However, "big tech" companies typically have the resources to overcome such obstacles.

• Strategic choices/business models: Some companies may adopt a business model that prioritizes massive data collection without wanting to bear the burden of full transparency, which is perceived as a hindrance to innovation or competitiveness.

• Differences in regulatory frameworks: Data protection laws in China are different and often less stringent than the GDPR, which could lead to a lower priority in complying with European regulations, especially if sanctions are perceived as less impactful or less likely. The corporate culture may not have fully internalized the principles of "privacy by design" and "privacy by default" that underpin the GDPR.

The Crucial Role of Data Protection Authorities (DPAs)

The complaints filed by noyb are addressed to the Data Protection Authorities (DPAs) in Belgium, Greece, and the Netherlands. DPAs are independent public bodies, established in each EU Member State, with the task of overseeing the application of the GDPR. Their role is fundamental in ensuring that data subjects' rights are respected and that controllers comply with their obligations.

Complaint handling process. When a DPA receives a complaint, it initiates an investigation. This may include requesting additional information from the company, hearing from the parties involved, and analyzing evidence. DPAs have broad investigative (Art. 58(1) GDPR), corrective (Art. 58(2) GDPR), and advisory powers. Corrective powers include the ability to issue warnings, reprimands, impose temporary or definitive limitations on processing, order the erasure of data, or, as requested by noyb, impose administrative pecuniary fines.

Cross-border cooperation. Since companies like TikTok, AliExpress, and WeChat operate globally and process user data in various EU countries, cases often involve multiple DPAs. The GDPR provides for a cooperation mechanism (the "one-stop shop mechanism") which, under the supervision of the European Data Protection Board (EDPB), allows the "lead authority" DPA (the competent authority for cross-border processing) to coordinate investigations and decisions, ensuring consistent application of the regulation throughout the EU. Decisions in these cases will therefore have an impact beyond the individual country.

noyb's Legal Actions and Potential Sanctions: A Crucial Precedent

In the face of these alleged systematic violations and persistent non-compliance, noyb has decided to intensify its legal actions. The three complaints filed on July 17 with the DPAs in Belgium, Greece, and the Netherlands aim to obtain decisive action from the supervisory authorities.

noyb's main requests are clear and targeted:

1. Declaratory Decision. noyb asks that the competent DPAs issue a formal decision declaring that TikTok, AliExpress, and WeChat would have explicitly violated Articles 12 and 15 of the GDPR. This decision would be an official recognition of the alleged infringements and an important legal precedent.

2. Order for Compliance. It is requested that the companies be obliged to fully comply with the complainants' access requests, by providing all relevant information in a comprehensible and complete format. This would restore users' fundamental rights.

3. Administrative Fines. Finally, and no less importantly, noyb suggests that data protection authorities impose significant administrative fines. The sanctions provided for by the GDPR for serious violations can reach up to 4% of the company's global annual turnover. For AliExpress, with an estimated annual turnover of 3.68 billion euros, this could translate into a fine of as much as 147 million euros. Such sanctions are not only punitive but also have a strong deterrent effect, pushing companies to invest in compliance and prevent similar violations in the future.

These legal actions taken by noyb are not merely an attempt to protect the rights of individual users, but represent a crucial step in the broader battle for the effective application of the GDPR globally. It is essential to emphasize that these are allegations that will need to be substantiated in a judgment by the competent authorities.

Insights and Future Prospects

In light of the evidence presented and the ongoing challenges posed by the alleged non-compliance of some large tech companies, it is crucial to consider future prospects and actions that can be taken to strengthen personal data protection.

The next steps expected for noyb include closely monitoring the DPA investigations and collaborating with them to ensure that the alleged violations are effectively addressed. The organization will continue to support complainants and promote the strict enforcement of the GDPR.

For European users, it is essential to stay informed and proactive:

• Exercise your rights. Do not hesitate to submit requests for access to your data. Even if the initial response may be unsatisfactory, it is the first step in asserting your rights. Remember that persistence is often necessary to obtain an adequate response.

• Report non-compliance. If you encounter difficulties in obtaining your data or believe that a company is violating the GDPR, you can file a complaint with your national DPA or contact organizations like noyb. Every complaint helps to build a more complete picture of the alleged violations and to strengthen pressure on companies.

• Be aware. Carefully read privacy policies and understand what data is collected and how it is used by the apps and services you use. If a policy is too complex or vague, consider asking for clarification or exploring alternatives.

The long-term implications of these complaints are significant. They could set an important precedent for the accountability of global tech companies under European data protection laws. Stronger GDPR enforcement could compel these companies to review their data processing practices and invest more in transparency and privacy protection. This could lead to a fairer digital market that respects fundamental rights, where users' digital sovereignty is not just a concept, but an operational reality. Transparency and data access remain fundamental pillars for meaningful digital sovereignty and privacy protection in the digital age. It is imperative that supervisory authorities continue to demonstrate firmness in enforcing the GDPR to ensure that individuals' rights are not trampled by profit motives or international regulatory differences.

The Strategic Importance of Articles 12 and 15 of the GDPR

Articles 12 and 15 of the GDPR are not mere bureaucratic formalities, but represent fundamental pillars for personal data protection and the empowerment of individuals in the digital age.

• Article 12 (Transparency of communications): This article requires controllers to provide all information and communications relating to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Transparency is a prerequisite for informed consent and the conscious exercise of rights. Without clear communications, users cannot understand how their data is being used, rendering any attempt at control futile.

• Article 15 (Right of access by the data subject): This right allows individuals to know whether their data is being processed, what data is concerned, for what purposes, to whom it is disclosed, and for how long it is stored. It is the cornerstone for exercising all other rights provided by the GDPR, such as the right to rectification (Art. 16), the right to erasure ("right to be forgotten," Art. 17), the right to restriction of processing (Art. 18), and the right to data portability (Art. 20). Without access, these rights remain theoretical and unenforceable.

"Processing of personal data" under the GDPR includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. It is a broad concept that covers almost every interaction with information that identifies an individual.

The Impossibility of Verifying Lawfulness of Processing and Implications for Users

The ultimate purpose of the right of access, as clarified by Recital 63 of the GDPR and the case-law of the Court of Justice of the European Union (CJEU), is to enable the data subject to verify the lawfulness of the processing of their personal data. When companies provide incomplete, incomprehensible data, or, worse still, ignore requests, they effectively make such verification impossible.

Generic responses, which refer the user to standard privacy policies, are not sufficient. The CJEU has reiterated this requirement in several judgments. In case C-141/12, YS and others, the Court stated that "it is in order to carry out the necessary checks that the data subject has [...] a right of access to the data relating to him which are being processed." Even more explicit is the judgment in case C-154/21, "RW v Österreichische Post AG," where the CJEU ruled that Article 15(1)(c) of the GDPR "must be interpreted as meaning that the data subject's right of access to the personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients."

Therefore, mere reference to categories of recipients or generic privacy policies does not constitute an adequate response to an access request. Companies are obliged to provide information "updated and tailored for the processing operations actually carried out with regard to the data subject," an obligation that TikTok, AliExpress, and WeChat would have clearly failed to meet. This conduct would not only violate Article 15 but also Article 12(1) and (2) of the GDPR, which require controllers to take appropriate measures to provide requested communications in a concise, transparent, intelligible, and easily accessible form.

The practical consequences for the user are significant: if a user does not know what specific data is being processed, how can they request the rectification of inaccurate information (e.g., an incorrect email address or outdated preferences)? How can they request the erasure of data that is no longer necessary or for which they have withdrawn consent? The inability to access one's data effectively prevents the exercise of the "control" that the GDPR intends to guarantee to individuals over their personal information. Without this control, rights remain purely theoretical, and the user is left in the dark about how their most sensitive data is collected, processed, and potentially shared.

Kleanthi Sardeli of noyb reiterates: "The GDPR clarifies that companies must provide their users with specific information about the data they are processing about them. Just because they receive many requests does not mean they can deny information."