GDPR right to information: Noyb complains about AliExpress, TikTok, and WeChat
Civil rights groups say AliExpress, TikTok, and WeChat violate GDPR by not fully providing users' data. They demand complete access to personal information.
(Image: peterschreiber.media/Shutterstock.com)
The Austrian civil rights organization Noyb has made serious allegations against tech giants AliExpress, TikTok, and WeChat. The activists claim that the three Chinese internet companies are systematically violating the General Data Protection Regulation (GDPR) by not responding properly to requests for information from users. Noyb has therefore filed official complaints with the data protection authorities in Belgium, Greece, and the Netherlands.
Right to access your own data
At the heart of the dispute is the right of users to obtain a complete copy of their personal data processed by companies. This right is enshrined in Article 15 of the GDPR. Many large tech companies now provide tools that are supposed to enable users to download their own data. In practice, however, the situation is often different. According to Noyb, neither TikTok nor AliExpress have made any effort to provide adequate information.
TikTok accuses the civil rights organization of having provided "only part of the data in an unstructured form that was impossible to understand." AliExpress allegedly provided a "defective file that could only be opened once." WeChat is said to have "simply ignored the complainant's request entirely." Kleanthi Sardeli, data protection lawyer at Noyb, criticizes this sharply: "Tech companies love to collect as much data as possible about their users." However, they vehemently refused to "give them full access in accordance with EU law."
Videos by heise
Verification of data processing impossible
According to Noyb, the incomplete or incomprehensible responses from TikTok and AliExpress prevent users from verifying how their personal data is being processed. Those affected initially asked follow-up questions to give the companies a second chance. However, instead of providing the missing data, the companies simply reproduced the content of their privacy policies "without any individual information."
The current requests for information should not be viewed in isolation. They were made in the run-up to a series of complaints filed by Noyb in January 2025. At that time, the organization took legal action against several companies, including TikTok, AliExpress, Shein, Temu, WeChat, and Xiaomi, for unlawful data transfers to China. EU law stipulates that data transfers to third countries are only permitted if data protection is guaranteed there. Given Chinese laws that give authorities extensive access to personal data, this is hardly realistic.
Exerting pressure and imposing fines
Shein, Temu, and Xiaomi have since provided additional information. According to Noyb, TikTok, AliExpress, and WeChat "continue to violate the GDPR." Sardeli reiterates the claims: Even if companies receive many requests, this does not mean "that they can refuse to provide information."
Noyb is calling on the data protection authorities in the three EU countries concerned to force the companies to comply with the requests for information. The activists also propose imposing fines to prevent future violations. Such penalties can amount to up to 4 percent of annual turnover. For AliExpress, based on annual revenue of €3.68 billion, this would mean a fine of up to €147 million. The right to information is considered an important tool of the GDPR. Noyb repeatedly criticizes companies for not paying sufficient attention to this right. According to the Federal Fiscal Court (BFH), the right also applies in cases of "disproportionate effort. "
(vbr)
