noyb files formal complaints in Belgium, Greece, and the Netherlands, alleging serious violations of EU privacy law
In a significant move against non-compliance by international tech companies, the European privacy advocacy organization noyb (None of Your Business) has filed formal General Data Protection Regulation (GDPR) complaints against TikTok, AliExpress, and WeChat. The complaints, submitted to data protection authorities (DPAs) in Belgium, Greece, and the Netherlands, accuse the companies of failing to respect EU citizens’ fundamental right to access their personal data.
The allegations stem from the companies’ non-compliance with Article 15 GDPR, which guarantees individuals the right to obtain full and intelligible information about how their personal data is being processed.
Incomplete, Inaccessible, or Ignored: What Went Wrong
Despite the legal obligation under GDPR for companies to provide users with access to their personal data upon request, the complaints detail a pattern of negligence and evasion by the three tech platforms:
– TikTok responded to a user’s access request with only a partial data set, presented in a disorganized and unreadable format, making it impossible for the user to understand how their data was being used.
– AliExpress provided a corrupted file that could only be accessed once. No functional version of the data was subsequently offered, leaving the user without a usable copy of their own personal information.
– WeChat, operated by Tencent, failed to respond at all to the access request, blatantly ignoring its obligations under EU law.
These failures stand in direct violation of Article 15 GDPR, which stipulates that data subjects must be given clear, complete, and accessible information about how their personal data is being processed, as well as a copy of the actual data.
Kleanthi Sardeli, data protection lawyer at noyb, commented:
„Tech companies love collecting as much data about you as possible – but vehemently refuse to give you full access as required by EU law. This lack of transparency undermines the fundamental privacy rights of EU citizens.”
The Legal Background: What Is Article 15 GDPR?
Under the General Data Protection Regulation, any person residing in the EU has the right to request and receive all personal data a company holds about them. This includes:
– The purposes for which the data is being processed
– The categories of data being collected
– The recipients or categories of recipients to whom data has been disclosed
– The source of the data (if not collected from the data subject directly)
– Whether the data is being transferred to a third country, and on what legal basis
– A full, intelligible copy of all personal data held
This right is fundamental to ensuring transparency, accountability, and data autonomy. Companies must comply with such requests within one month, extendable by two months in complex cases—with proper justification.
Repeat Offenders? Data Transfer Violations Raise Broader Concerns
The access requests that led to the current complaints were part of a broader legal strategy by noyb to investigate unlawful international data transfers, particularly to China. In January 2025, noyb initiated legal proceedings against several Chinese tech companies—including TikTok, AliExpress, WeChat, SHEIN, Temu, and Xiaomi—for allegedly transferring EU citizens’ data to China without proper safeguards.
According to EU law, personal data can only be transferred outside the European Economic Area (EEA) if the destination country provides an equivalent level of data protection. However, Chinese law grants broad access to personal data for state authorities, raising serious concerns about the ability of Chinese companies to protect EU users’ data from government surveillance.
While companies like SHEIN, Temu, and Xiaomi eventually engaged with noyb and provided additional information during those proceedings, TikTok, AliExpress, and WeChat continued to violate GDPR obligations, including failing to respond properly to access requests.
Privacy Policies ≠ Legal Compliance
In the aftermath of their incomplete or missing responses, TikTok and AliExpress received follow-up queries from the complainants, giving them a second chance to rectify the situation. Instead of complying, both companies merely reiterated their generic privacy policies, without offering any user-specific information or clarification.
This tactic not only evades transparency but also makes it impossible for individuals to verify whether their personal data is being processed lawfully, including whether it’s being transferred abroad, sold, or shared with third parties.
noyb’s Legal Demands
Based on these findings, noyb is now requesting that the data protection authorities in Belgium, Greece, and the Netherlands take the following actions:
- Declare that TikTok, AliExpress, and WeChat have violated Articles 12 and 15 of the GDPR
- Order the companies to provide full access to the complainants’ personal data
- Impose administrative fines sufficient to deter future non-compliance
Under the GDPR, fines for such violations can reach up to 4% of a company’s global annual revenue. For example, with an estimated revenue of €3.68 billion, AliExpress could face penalties of up to €147 million.
Chinese Apps Lagging Behind in GDPR Compliance
While most U.S.-based tech platforms have, over time, implemented automated systems to fulfill data access requests—often through downloadable „Your Data” tools—Chinese tech companies appear to lag significantly in this area.
Sardeli concluded:
„The GDPR makes it clear that companies must give their users specific information about the data they are processing about them. Just because they receive a lot of requests doesn’t mean they can withhold information. Compliance is not optional—it’s the law.”
What This Means for EU Users
This case reinforces ongoing concerns that major tech companies, particularly those based outside the EU, are undermining the rights of European citizens by treating GDPR requirements as a formality rather than a legal obligation.
With regulators now investigating, the outcome of these complaints may set a critical precedent for how international tech platforms are expected to handle personal data within the EU.
Source: ”noyb.eu”
