Ireland’s Data Protection Commission (DPC) announced on Tuesday that it has opened an investigation into Shein’s Irish subsidiary over its handling of EU citizen’s personal data when transferred to China.

The regulator said it will examine and assess the extent to which Shein Ireland has complied with obligations placed upon it by the EU’s GDPR, which require that data of EU citizens transferred outside the bloc is afforded the same protections it would have inside of it.

Under the GDPR, transfers of personal data outside the bloc can only take place if it complies with conditions laid out in Chapter five of the regulation. This means that data transfers must either be to countries or territories that have been authorised by the European Commission, or bound by contractual clauses that enforce data protections.

The enquiry began on 30 April, the DPC said.

“When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU,” said Graham Doyle, deputy commissioner at the DPC. “Recent regulatory action by the DPC, together with complaints to other European supervisory authorities, has brought data transfers to China, in particular, into focus.

“The inquiry is an important strategic priority for the DPC and we intend to cooperate closely with our peer European Supervisory Authorities as part of the investigation.”

A Shein spokesperson told Retail Systems: "We take our data protection obligations extremely seriously and are fully committed to complying with the GDPR and all applicable data protection laws.

“Ensuring the security of our customers' personal data is a top priority for our business. We have been actively engaging with the DPC in recent months on our data protection approach, including a number of important ongoing initiatives that reflect our commitment to maintaining the highest standards in data handling. We look forward to presenting that work as part of this process."

Due to Ireland’s position as the EU home of many large tech companies, including Meta, Apple and Google, the DPC has a long history of involvement with tech companies, and has levied over €4 billion in fines over GDPR breaches since 2020, according to Reuters.

Last year, it fined TikTok €530 million over its own data transfers to China. The case is currently being appealed in Ireland’s supreme court.

---