About Us
Contact About Us Input Output ADA Compliance Statement Privacy Policy Satisfaction Guarantee Terms & Conditions
Solutions
Input Output Solutions WISP - Written Information Security Program
Blog Podcast
BOOK A CALL

Cybersecurity News: Privacy Group Challenges TikTok and AliExpress Over Data Practices

cybersecurity news Feb 04, 2025
cybersecurity news, digital globe

In a major effort to reinforce data security and privacy across the European Union (EU), the Austrian non-profit organization None of Your Business (noyb) has lodged complaints against six Chinese corporations, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. The allegations center on the unlawful transfer of EU users’ personal data to China, potentially exposing this information to access by Chinese authorities.

 

Allegations and Legal Basis for Data Transfers

Noyb contends that these companies are violating the EU’s General Data Protection Regulation (GDPR) by transferring personal data to China, a country that does not meet the EU’s stringent data protection standards. In addition to personal data, the protection of financial data is also a critical concern under GDPR. Under GDPR, data transfers to non-EU countries are permissible only if the destination country ensures an adequate level of data protection. Given China’s status as an authoritarian surveillance state, noyb argues that it is evident that China doesn’t offer the same level of data protection as the EU. Therefore, transferring Europeans’ personal data is deemed unlawful and should be terminated immediately.

 

Companies Implicated in Financial Data Breaches

According to noyb, the privacy policies of AliExpress, SHEIN, TikTok, and Xiaomi explicitly state that they transfer user data to China. These companies, much like financial institutions, handle a significant amount of sensitive information that requires stringent protection measures. Temu and WeChat mention data transfers to unspecified “third countries,” which, based on their corporate structures, likely include China. Noyb highlights that these companies are obligated to comply with data access requests from Chinese authorities, while also pointing out that Beijing does not have an independent data protection authority to oversee concerns related to government surveillance.

 

Data Transfers and Security Concerns

In the digital age, data transfers are a fundamental aspect of how organizations operate, enabling the movement of information across various platforms and locations. These transfers can occur within an organization or between different entities, and they are essential for maintaining the flow of information necessary for critical business functions.

 

Data Transfers

Data transfers can be broadly categorized into three types:

  • Intra-organizational data transfers: These involve the movement of data within the same organization, such as between different departments, teams, or internal systems. This type of transfer is crucial for ensuring that all parts of an organization have access to the information they need to function effectively.

  • Inter-organizational data transfers: These occur between different organizations, such as partners, suppliers, or customers. This type of transfer is essential for collaboration and coordination between different business entities.

  • Cloud-based data transfers: These involve transferring data to or from cloud-based storage services like Amazon S3 or Microsoft Azure. Cloud-based transfers are increasingly common as organizations move towards cloud computing for greater flexibility and scalability.

Various methods are used to perform data transfers, each with its own security measures:

  • File Transfer Protocol (FTP): A network protocol used to transfer files (from one system to another) over a TCP-based network, such as the internet.

  • Secure File Transfer Protocol (SFTP): An extension of FTP that adds a layer of security by using encryption to protect data during transfer, ensuring that only authorized users can access the information.

  • Cloud-based data transfer services: These services facilitate the transfer of data to and from cloud storage, often incorporating advanced security controls to protect sensitive information during the transfer process.

 

Information Security Management System (ISMS)

An Information Security Management System (ISMS) is a comprehensive framework designed to manage and protect an organization’s information assets. It encompasses a set of policies, procedures, and controls aimed at ensuring the confidentiality, integrity, and availability of data, thereby safeguarding it from unauthorized disclosure, use, or destruction.

An effective ISMS typically includes the following components:

  • Information security policies: These are formalized rules and guidelines that outline an organization’s approach to managing and protecting its information assets. They serve as the foundation for the organization’s information security programs.

  • Risk management: This involves identifying, assessing, and mitigating risks to the organization’s information assets. By understanding potential threats and vulnerabilities, organizations can implement security measures to protect against data breaches and other security incidents.

  • Security controls: These are the technical and administrative measures put in place to protect information assets. Examples include firewalls, intrusion detection systems, encryption, and access controls that ensure only authorized users can access sensitive data.

  • Incident response: This is a structured approach for handling security incidents, such as data breaches or cyber attacks. An incident response plan outlines the steps to be taken to contain and mitigate the impact of an incident, as well as to recover from it.

  • Continuous monitoring: This involves the ongoing assessment of the organization’s information security posture to identify and address potential weaknesses. Continuous monitoring helps ensure that security controls remain effective and that the organization can respond quickly to emerging threats.

 

Network Security and Data Protection

globe digital information security overlay, data security representation

Network security is a critical aspect of an organization’s overall information security strategy. This entails deploying technologies and strategies to safeguard data integrity, confidentiality, and availability while it moves across networks. Effective network security measures are essential for preventing unauthorized access, data breaches, and other cyber threats.

Network security encompasses a range of practices and technologies, including:

  • Firewalls: These function as protective barriers between trusted and untrusted networks, regulating inbound and outbound traffic according to predefined security rules.

  • Intrusion detection and prevention systems (IDPS): These systems analyze network traffic for signs of suspicious activity and can respond to mitigate potential threats.

  • Encryption: This involves encoding data so that it can only be accessed by authorized users, protecting sensitive information from unauthorized disclosure during transmission.

  • Access controls: These ensure that only authorized users can access certain network resources, thereby protecting sensitive data from unauthorized access.

By implementing robust network security measures, organizations can protect their sensitive data and maintain the trust of their customers and partners. In an era where cyber threats are constantly evolving, maintaining strong network security is essential for safeguarding critical business functions and ensuring the overall security of information technology systems.

 

Legal Actions and Potential Consequences of Inadequate Security Measures

Complaints have been filed in Austria, Belgium, Greece, Italy, and the Netherlands, seeking an immediate suspension of these data transfers. Ensuring robust information technology security is crucial to prevent unauthorized access and potential data breaches. If found in violation of GDPR, the companies could face fines of up to 4% of their global revenue. This legal action marks noyb’s first complaint against Chinese firms, having previously targeted American companies such as Apple and Meta.

 

Broader Context of Information Security

This development coincides with ByteDance-owned TikTok's plans to cease operations in the U.S. on January 19, 2025, aligning with the scheduled enforcement of a federal ban on the platform. Meanwhile, many organizations continue to rely on outdated legacy systems with insufficient security measures, further endangering data protection. In recent months, noyb has also lodged GDPR-related complaints against Google, Microsoft, and Mozilla, alleging unauthorized user tracking through Privacy Sandbox, Xandr, and Firefox, respectively.

 

Conclusion 

Noyb’s legal actions underscore the critical importance of adhering to data protection regulations and the challenges posed by international data transfers. Organizations must ensure appropriate safeguards when they transfer personal data to non-EEA countries to comply with GDPR. As the digital landscape continues to evolve, ensuring the privacy and security of personal data remains a paramount concern for both regulatory bodies and consumers.

 

 

STAY INFORMED

Subscribe now to receive the latest expert insights on cybersecurity, compliance, and business management delivered straight to your inbox.

We hate SPAM. We will never sell your information, for any reason.

CATEGORIES

iO Circle Logo

INPUT OUTPUT

Information Security Policies, Programs, & Audits Made Easy

Input Output integrates cybersecurity and compliance seamlessly with business management and development. With expertise in security, compliance, and risk management, we empower businesses to enhance productivity and profitability. Our blog shares insights drawn from years of experience, helping companies navigate complex security challenges while fostering growth and operational excellence.