Irish Data Protection Authority Investigates Shein Over Possible Transfer of User Data to China

The Irish Data Protection Commission (DPC) has initiated a formal investigation into the fast-fashion retailer Shein, focusing on concerns regarding the handling and transfer of European customer data to China. This move reflects escalating regulatory scrutiny in Europe over the cross-border movement of personal data, especially to countries with data protection standards that differ significantly from those of the European Union.

The investigation centers on whether Shein has adhered to the requirements set out in the General Data Protection Regulation (GDPR) when transferring personal information of EU users to China. Under GDPR, organizations are obligated to ensure that personal data transferred outside the European Economic Area is subject to adequate safeguards that guarantee equivalent levels of protection as provided within the EU.

A key aspect of the inquiry involves examining Shein's compliance with transparency obligations. Companies operating within the EU are required to clearly inform users about how, where, and for what purposes their data is processed, particularly when it involves sharing information with third countries. The DPC's investigation will determine if Shein provided sufficient disclosure and implemented the necessary technical and organizational measures to secure the data in accordance with European standards.

This investigation follows a formal complaint lodged by the privacy advocacy group Noyb in early 2025, which raised concerns about the security and legality of Shein's data transfer processes. The issue of transferring personal data to China has come under increasing regulatory focus in Europe, with previous enforcement actions taken against other platforms for similar practices. In past cases, the DPC has found that remote access by employees based in China to European user data constituted an unauthorized international data transfer, leading to enforcement action.

Given the absence of an adequacy decision between the European Union and China, companies transferring EU personal data to China must rely on appropriate safeguards, such as standard contractual clauses. These legal instruments are designed to ensure that the personal data of EU citizens enjoys a comparable level of protection regardless of where it is processed. The DPC's ongoing investigation will assess whether Shein's measures meet these requirements and if the company has successfully mitigated the risks associated with international data transfers.

Shein has responded to the investigation by stating its commitment to upholding data protection obligations and has indicated ongoing cooperation with the DPC. The company also announced its intention to introduce new initiatives to demonstrate compliance with the European regulatory framework. However, should the Irish regulator conclude that Shein's safeguards are inadequate, the retailer could face significant penalties, including substantial fines or restrictions on its ability to transfer data outside the EU.

The outcome of this investigation is particularly significant for Shein's business model, which relies heavily on collecting and analyzing user preferences to drive fast production cycles closely integrated with Chinese manufacturing networks. Any restrictions on data flows could impact Shein's operations and its ability to serve European customers effectively.

This case underscores the growing focus of European regulators on international data transfers, particularly to jurisdictions where data protection laws may not offer the same level of security as those in the EU. It also highlights the increasing obligations placed on companies to ensure transparency and robust data protection standards when handling the information of European citizens.