Introduction
Data privacy and security have become increasingly critical in today’s digital landscape, with international regulations such as the General Data Protection Regulation (GDPR) setting high standards. Recently, Austrian privacy advocacy group None of Your Business (noyb) raised serious allegations against several prominent companies for unlawful data transfers to China, sparking debates over compliance and data sovereignty. Meanwhile, in the United States, the Federal Trade Commission (FTC) has taken action against corporations like General Motors and GoDaddy for data privacy violations. This article explores these cases and their implications for global cybersecurity.
Noyb’s Complaints Against Data Transfers to China
Noyb has filed formal complaints against well-known companies such as TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, accusing them of violating GDPR by unlawfully transferring users’ data to China. These complaints were lodged in Austria, Belgium, Greece, Italy, and the Netherlands.
Kleanthi Sardeli, a data protection lawyer at noyb, emphasized the risks, stating, “Given that China is an authoritarian surveillance state, it is crystal clear that China doesn’t offer the same level of data protection as the E.U.” Noyb asserts that these companies are unable to safeguard user data from potential access by Chinese authorities, highlighting China’s lack of an independent data protection body to address government surveillance concerns.
Noyb also noted that the companies did not respond to GDPR access requests for information about the nature and destination of their data transfers. Privacy policies from AliExpress, SHEIN, TikTok, and Xiaomi explicitly mention data transfers to China, while Temu and WeChat indicate transfers to “third countries,” likely including China based on their corporate structures.
TikTok’s U.S. Ban Looms
The complaints come as TikTok, owned by ByteDance, prepares to shut down operations in the U.S. due to a federal ban set to take effect on January 19, 2025. This highlights a growing trend of regulatory scrutiny over data privacy concerns, particularly with platforms operating across borders.
FTC Actions in the United States
While noyb targets European data privacy violations, the U.S. Federal Trade Commission has been addressing similar issues domestically. Two recent cases underline the FTC’s commitment to holding companies accountable for data security.
General Motors and Consumer Data Misuse
The FTC banned General Motors from sharing driver data, such as geolocation and behavior, with consumer reporting agencies without explicit consent. This decision followed revelations from a New York Times investigation that identified GM’s collaboration with data brokers, LexisNexis Risk Solutions and Verisk, to generate risk profiles affecting auto insurance rates.
In response, GM discontinued its "Smart Driver" program in April 2024 and implemented measures allowing customers to access and delete their personal data through an online privacy request form.
GoDaddy’s Security Overhaul
The FTC also ordered website hosting provider GoDaddy to revamp its data security practices following multiple breaches from 2019 to 2022. The agency criticized GoDaddy for inadequate security measures, including poor software patching, insufficient use of multi-factor authentication, and a lack of proper threat monitoring.
Although GoDaddy did not admit to any wrongdoing or face fines, the FTC mandated a comprehensive overhaul of its information security program.
Strengthening Online Privacy for Children
The FTC further amended the Children’s Online Privacy Protection Rule (COPPA) to enhance safeguards for children’s data. The new regulations require companies to obtain verifiable parental consent before processing children’s data for advertising or sharing it with third parties. Additionally, the rules mandate data retention policies to ensure children’s information is only kept as long as necessary for its intended purpose.
FTC Chair Lina M. Khan commented, “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission.”
Conclusion
The cases highlighted by noyb and the FTC illustrate the increasing complexity of data privacy and security enforcement in a globalized, interconnected world. While advocacy groups like noyb push for stricter compliance with GDPR, U.S. regulators are taking significant steps to protect consumers and children from data misuse. These actions underline the urgent need for businesses to prioritize robust data protection measures to meet evolving regulatory expectations and protect user privacy.
0 Comments