Chinese Apps are even worse than US Providers. Most major tech companies have by now implemented some sort of automation tool that allows them to fulfil GDPR access requests on a mass scale, usually via a “download your information” tool. Theoretically, this would make it extremely easy for them to comply with EU law. In reality, however, both TikTok and AliExpress haven’t bothered to give the data subjects access to all of their data as required under Article 15 GDPR. TikTok only provided part of the complainant’s data in an unstructured form that was impossible to understand. AliExpress provided a broken file that could be opened only once. WeChat, on the other hand, just completely ignored the complainant’s request.

Kleanthi Sardeli, data protection lawyer at noyb: “Tech companies love collecting as much data about you as possible – but vehemently refuse to give you full access as required by EU law.”

Unable to verify lawfulness of processing. Since TikTok and AliExpress provided the complainants with incomplete data, the users sent a series of follow-up questions to give these companies another chance. Instead of supplying the missing data, both companies chose to just repeated the contents of their privacy policy without any individual information. This made it impossible for the complainants to check whether their data has been processed in line with the GDPR.

Follow-up to Chinese data transfer complaints. The access requests in question were originally filed in preparation for a series of noyb complaints from January 2025. At the time, noyb had taken legal action against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. According to EU law, data transfers outside the EU are only allowed if the destination country doesn’t undermine the protection of data. Given that Chinese laws do not limit access to personal data by the authorities, companies can’t realistically shield EU users’ data from government access. During the proceedings, SHEIN, Temu and Xiaomi provided the complainants with additional information. Meanwhile, TikTok, AliExpress and WeChat continued to violate the GDPR.

Kleanthi Sardeli, data protection lawyer at noyb: “The GDPR makes it clear that companies must give their users specific information about the data they are processing about them. Just because they receive a lot of requests doesn’t mean they can withhold information.”

Complaints filed in three EU countries. noyb has therefore filed three complaints with the data protection authorities (DPAs) in Belgium, Greece and the Netherlands. We request that the respective DPAs issue a decision declaring that TikTok, AliExpress and WeChat have violated Article 12 and 15 GDPR. In addition, we request that the companies are ordered to fulfil the complainants’ access requests. Last but not least, we suggest that the DPAs impose an administrative fine to prevent similar violations in the future. Such a fine can reach up to 4% of the global revenue, which can e.g. amount to €147 million (annual revenue of €3.68 billion) for AliExpress.