廣悅（香港）律師事務所

一、案例背景與違規事實

近年來，隨著中國電商平臺如SHEIN和Temu在全球市場迅速擴張，其在數據隱私合規方面的挑戰也日益凸顯。歐洲隱私權組織noyb於2025年1月16日向意大利和奧地利數據保護局分別提交了針對SHEIN和Temu的投訴，指控兩家公司存在多項GDPR違規行為。盡管標題提及“集體訴訟”，但此處更准確地反映為針對類似違規行為的多國監管投訴，預示著潛在的集體性執法行動。

SHEIN的違規事實： * 數據傳輸透明度不足：SHEIN的隱私政策明確承認將用戶數據傳輸至中國，但未能提供充分的保障措施。 * 傳輸影響評估缺失：未能對數據傳輸至中國這一“第三國”進行充分的傳輸影響評估（TIA），以確保數據在傳輸後仍能獲得與歐盟同等水平的保護。 * 用戶權利響應不力：未能有效回應用戶依據GDPR第15條提出的數據訪問請求，侵犯了用戶對其個人數據的知情權和控制權。

Temu的違規事實： * 數據傳輸披露模糊：Temu的隱私政策中提及向“第三國”傳輸數據，但刻意模糊了具體國家，而其企業架構強烈暗示數據極可能傳輸至中國。 * 用戶權利響應不力：與SHEIN類似，Temu也未能回應用戶的數據訪問請求。

二、涉事企業合規“彎路”分析

SHEIN和Temu的案例揭示了中國電商企業在出海過程中常見的合規誤區：

“坦白”式違規與“模糊”式規避：SHEIN在隱私政策中“坦白”數據傳輸至中國，卻未建立有效的法律機制（如有效的標准合同條款SCCs結合全面的TIA）來支撐這種傳輸。而Temu則試圖通過“第三國”的模糊表述來規避監管審查，反而引發了監管機構更大的懷疑。這兩種做法都未能滿足GDPR對數據傳輸透明度和合法性的嚴格要求。
忽視數據主體權利：兩家公司均未能及時、充分回應用戶的數據訪問請求。GDPR賦予數據主體廣泛的權利，包括訪問權、更正權、刪除權等。企業必須建立高效的內部流程來處理這些請求，否則將面臨嚴重罰款。
對GDPR域外管轄理解不足：許多中國企業錯誤地認為，只要公司注冊地不在歐盟，GDPR就“管不著”。然而，GDPR第3條明確規定，只要企業向歐盟境內的數據主體提供商品或服務，或監控其行為，無論企業身處何地，都必須遵守GDPR。SHEIN和Temu作為面向歐洲消費者的電商平臺，無疑落入GDPR的管轄範圍。

三、合規建議與解決方案

為避免重蹈覆轍，中國電商企業在出海過程中應采取以下合規策略：

建立健全的國際數據傳輸機制：

-透明披露：隱私政策必須清晰、明確地披露數據傳輸的目的地、法律依據和保障措施。

-合法傳輸工具：優先采用歐盟委員會批准的標准合同條款（SCCs），並結合傳輸影響評估（TIA），確保數據在傳輸至中國等“第三國”後，仍能獲得與歐盟實質等同的保護水平。TIA應評估中國的數據保護法律環境、政府訪問數據的可能性以及企業采取的補充措施。

-本地化數據存儲與處理：考慮在歐盟境內設立數據中心或采用雲服務，實現歐盟用戶數據的本地化存儲和處理，從而減少跨境傳輸的合規複雜性。

強化數據主體權利響應機制：

–設立專門團隊：建立專門的數據主體權利請求處理團隊，確保在GDPR規定的時限內（通常為一個月）對用戶的訪問、更正、刪除等請求作出響應。

–自動化工具：利用自動化工具輔助處理大量請求，提高效率和准確性。

指定歐盟代表與數據保護官（DPO）：

–歐盟代表：根據GDPR第27條，未在歐盟設立機構但向歐盟數據主體提供商品或服務的企業，必須指定一名歐盟代表作為與監管機構和數據主體的聯絡點。

–數據保護官（DPO）：評估是否需要指定DPO，DPO負責監督企業的數據保護合規性，並作為內部和外部的聯絡人。

持續合規審計與更新：GDPR合規是一個動態過程。企業應定期進行內部和外部合規審計，及時更新隱私政策和數據處理流程，以適應不斷變化的法律法規和監管要求。

通過上述措施，中國電商企業可以有效規避GDPR合規風險，確保在全球化發展中行穩致遠，避免因隱私政策“裸奔”而付出高昂代價。

Case Study Three: SHEIN/Temu’s ‘Class Action’ – E-commerce Going Global, How Privacy Policies Can Avoid Being ‘Exposed’?

1. Case Background and Violations

In recent years, as Chinese e-commerce platforms like SHEIN and Temu rapidly expand in the global market, their challenges in data privacy compliance have become increasingly prominent. On January 16, 2025, the European privacy organization noyb filed complaints against SHEIN and Temu with the Italian and Austrian data protection authorities, respectively, alleging multiple GDPR violations. Although the title mentions ‘class action,’ this more accurately reflects multi-country regulatory complaints targeting similar violations, foreshadowing potential collective enforcement actions.

SHEIN’s Violations: * Insufficient Data Transfer Transparency: SHEIN’s privacy policy explicitly acknowledges the transfer of user data to China but fails to provide adequate safeguards. * Lack of Transfer Impact Assessment (TIA): Failure to conduct a sufficient Transfer Impact Assessment (TIA) for data transfers to China, a ‘third country,’ to ensure that data receives an equivalent level of protection to that in the EU after transfer. * Ineffective Response to User Rights: Failure to effectively respond to user data access requests made under GDPR Article 15, infringing on users’ right to know and control their personal data.

Temu’s Violations: * Ambiguous Data Transfer Disclosure: Temu’s privacy policy mentions data transfers to ‘third countries’ but deliberately obscures the specific countries, while its corporate structure strongly suggests that data is highly likely to be transferred to China. * Ineffective Response to User Rights: Similar to SHEIN, Temu also failed to respond to user data access requests.

2. Analysis of Compliance ‘Pitfalls’ for the Companies Involved

The cases of SHEIN and Temu reveal common compliance pitfalls for Chinese e-commerce companies expanding globally:

‘Confession’ of Violation vs. ‘Ambiguous’ Evasion: SHEIN ‘confessed’ in its privacy policy to transferring data to China but failed to establish effective legal mechanisms (such as valid Standard Contractual Clauses (SCCs) combined with a comprehensive TIA) to support such transfers. Temu, on the other hand, attempted to evade regulatory scrutiny through vague references to ‘third countries,’ which instead aroused greater suspicion from regulators. Both approaches failed to meet the strict GDPR requirements for data transfer transparency and legality.
Neglect of Data Subject Rights: Both companies failed to respond to user data access requests in a timely and adequate manner. The GDPR grants data subjects extensive rights, including the right to access, rectification, and erasure. Companies must establish efficient internal processes to handle these requests, otherwise, they will face severe penalties.
Insufficient Understanding of GDPR’s Extraterritorial Scope: Many Chinese companies mistakenly believe that as long as their company is not registered in the EU, the GDPR does not apply. However, GDPR Article 3 clearly states that if a company offers goods or services to data subjects in the EU, or monitors their behavior, it must comply with the GDPR regardless of where the company is located. As e-commerce platforms targeting European consumers, SHEIN and Temu undoubtedly fall within the scope of the GDPR.

3. Compliance Recommendations and Solutions

To avoid repeating these mistakes, Chinese e-commerce companies expanding globally should adopt the following compliance strategies:

Establish Robust International Data Transfer Mechanisms:

–Transparent Disclosure: Privacy policies must clearly and explicitly disclose the destination, legal basis, and safeguards for data transfers.

–Lawful Transfer Tools: Prioritize the use of Standard Contractual Clauses (SCCs) approved by the European Commission, combined with a Transfer Impact Assessment (TIA), to ensure that data transferred to ‘third countries’ like China still receives a level of protection substantially equivalent to that in the EU. The TIA should assess China’s data protection legal environment, the possibility of government access to data, and supplementary measures taken by the company.

–Localized Data Storage and Processing: Consider establishing data centers or using cloud services within the EU to localize the storage and processing of EU user data, thereby reducing the compliance complexity of cross-border transfers.
Strengthen Data Subject Rights Response Mechanisms:

–Dedicated Team: Establish a dedicated team to handle data subject rights requests, ensuring responses to user access, rectification, erasure, and other requests within the GDPR’s stipulated timeframe (usually one month).

–Automated Tools: Utilize automated tools to assist in processing a large volume of requests, improving efficiency and accuracy.
Appoint an EU Representative and Data Protection Officer (DPO):

–EU Representative: According to GDPR Article 27, companies not established in the EU but offering goods or services to EU data subjects must appoint an EU representative to act as a contact point with supervisory authorities and data subjects.

–Data Protection Officer (DPO): Assess whether a DPO needs to be appointed. The DPO is responsible for overseeing the company’s data protection compliance and serving as an internal and external contact person.
Continuous Compliance Audits and Updates: GDPR compliance is a dynamic process. Companies should regularly conduct internal and external compliance audits and promptly update privacy policies and data processing procedures to adapt to evolving laws, regulations, and regulatory requirements.

Through these measures, Chinese e-commerce companies can effectively mitigate GDPR compliance risks, ensure steady progress in their global development, and avoid paying a heavy price for ‘exposed’ privacy policies

聲明

本文僅為交流探討之目的，不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容，請與本所溝通授權事宜，並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討，或需要專業的法律支持，歡迎與本所聯系。

WeChat

聯系人：葉文女士

期待與您的進一步交流！

廣悅律師事務所介紹

廣悅律師事務所成立於2008年，是一家立足大灣區，堅持一體化管理的涉外綜合性律師事務所。發展至今，廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊，打造了多元化的業務體系，可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略，廣悅已擁有廣州、中國香港、深圳，以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室，客戶遍及境內外多個國家和地區。

供稿丨廣悅香港辦公室

編輯丨吳寶渲

審核丨黃曉俊

審定丨品牌宣傳與市場拓展委