Filed on 17 July 2025, the complaints target the companies for failing to meet obligations under Article 15 of the General Data Protection Regulation (GDPR), which entitles individuals to obtain a complete copy of their personal data. 

According to noyb, these Chinese-owned platforms are deliberately making it difficult for users to access their data in full, a legal requirement across the European Union.

While many technology firms provide users with structured tools to download their data, noyb said TikTok, AliExpress, and WeChat either delivered incomplete data, delayed their responses, or provided files so disorganised that users could not understand them.

“TikTok, AliExpress and WeChat love collecting as much data about you as possible – but vehemently refuse to give you full access as required by EU law,” stated Kleanthi Sardeli, data protection lawyer at noyb.

In its complaint, noyb outlined the extent of each company’s alleged non-compliance:

• TikTok reportedly provided users with raw, unstructured data that lacked explanations on processing purposes, recipients, or cross-border transfers.
• AliExpress sent a corrupted data file that could only be accessed once and failed to engage meaningfully with further requests.
• WeChat responded after six months, offering generic instructions but none of the mandatory information concerning data transfers or safeguards.

This isn’t the first time noyb, short for “None of Your Business”, has challenged Chinese tech companies over data privacy violations. In January 2025, it filed complaints against six Chinese firms, including Shein, Temu, Xiaomi, AliExpress, TikTok, and WeChat, pointing to unlawful data transfers to China. 

The advocacy group argued that China’s status as an “authoritarian surveillance state” makes it impossible for companies to guarantee that European user data won’t end up in government hands.

At the time, noyb demanded suspension of all data transfers to China and penalties of up to 4% of global revenue. If enforced, AliExpress could face a fine of €147 million, while Temu risks €1.35 billion.

EU regulators have issued more than 6,680 fines worth €4.2 billion since GDPR enforcement began in 2018. However, enforcement against non-European platforms has been inconsistent. 

Noyb’s latest filings seek to pressure regulators into closing that gap, particularly as Chinese platforms continue their aggressive expansion into European markets.

Noyb has previously gone after U.S. tech giants like Apple, Alphabet, and Meta, contributing to regulatory investigations and billion-euro penalties.

The current cases are escalations against Chinese companies accused of privacy violations and undermining European digital sovereignty.

The fabricated accusation was detailed, incorporating true elements of his personal life—his real hometown and the correct number and gender of his children—making the falsehood even more disturbing.

The privacy advocacy group Noyb has now filed a formal complaint against OpenAI, arguing that ChatGPT’s ability to generate false and defamatory personal information is a clear violation of the European Union’s General Data Protection Regulation (GDPR). 

“The GDPR is clear. Personal data has to be accurate,” said Joakim Söderberg, a data protection lawyer at Noyb. “If it’s not, users have the right to have it changed to reflect the truth.”

This is not an isolated case. ChatGPT has previously been accused of falsely implicating individuals in corruption, child abuse, and other serious crimes. 

In one instance, the AI wrongly linked an Australian mayor to a bribery scandal, and in another, it accused a German journalist of child abuse. Despite these incidents, OpenAI has not provided a way for individuals to correct false information, only offering to block responses related to their names.

The issue at the heart of the complaint is that OpenAI’s AI model generates responses by predicting the most statistically likely sequence of words, without verifying factual accuracy. 

The result? Fabricated stories that can cause real reputational harm. Holmen, the Norwegian complainant, summed up his fears: “Some think that ‘there is no smoke without fire.’ The fact that someone could read this output and believe it is true is what scares me the most.”

Under GDPR, companies processing personal data must ensure its accuracy. If they fail, they could face fines of up to 4% of their global annual revenue. OpenAI’s previous run-ins with European regulators have already led to penalties—Italy’s data protection authority fined the company €15 million earlier this year for processing personal data without a legal basis.

Yet, enforcement across Europe has been inconsistent. A similar Noyb-backed complaint filed in Austria in April 2024 was handed over to Ireland’s Data Protection Commission (DPC), which has yet to make a ruling. The Polish data protection authority has also been investigating a complaint since September 2023, with no conclusion in sight.

Noyb is now pushing for Norway’s regulator to take a firm stance, arguing that OpenAI’s U.S. entity, rather than its Irish subsidiary, should be held responsible. Whether this will speed up enforcement remains uncertain.

In response, OpenAI has altered ChatGPT’s behaviour. Instead of generating answers from its internal model alone, it now retrieves information from the internet when asked about individuals. This change appears to have stopped ChatGPT from making false claims about Holmen—but it does not erase the issue that such hallucinations may still be embedded within the system.

Kleanthi Sardeli, another Noyb data protection lawyer, dismissed OpenAI’s approach: “Adding a disclaimer that you do not comply with the law does not make the law go away.” She warned that AI companies “cannot just ‘hide’ false information from users while they internally still process false information.”

NOYB accuses Mozilla of breaching the European Union’s General Data Protection Regulation (GDPR) by enabling this feature by default, without obtaining user consent.

The feature, called Privacy-Preserving Attribution (PPA), is designed to allow advertisers to measure the success of their ads without gathering identifiable personal data. 

However, NOYB argues that it still involves tracking user behaviour across websites, which they claim is a violation of users’ privacy rights under GDPR. The complaint has been lodged with the Austrian Data Protection Authority.

Mozilla, often recognised for its standpoint on privacy, is now facing accusations for this update, as users were not explicitly informed or given the option to opt-in to the new tracking mechanism. 

Instead, PPA was turned on automatically following a software update. According to NOYB, this move undermines user autonomy and transparency, which are key pillars of GDPR compliance.

Commenting on the matter, Felix Mikolasch, a data protection lawyer at NOYB, criticised Mozilla’s approach, stating, “Users should have the right to choose whether they want to be tracked, and this feature should never have been enabled by default.”

Mozilla responded by defending the introduction of PPA, asserting that the feature was part of a goal to reduce more invasive forms of tracking that rely on cookies. 

The company emphasised that PPA is a more privacy-friendly solution that avoids identifying individual users, instead relying on aggregated data to provide advertisers with insight. Mozilla also clarified that users can manually disable the feature through the browser settings.

NOYB’s request includes a demand that Mozilla switch to an opt-in system and delete any data collected thus far through the PPA feature. 

Should the complaint succeed, Mozilla could face some penalties under GDPR, which allow fines of up to 4% of global revenue.

The platform began processing user data without seeking permission, leading to a fresh wave of privacy complaints across multiple European countries.

The issue came to light when a vigilant user noticed a new setting that revealed X had quietly started using post data from EU users for its Grok AI chatbot. This discovery drew immediate concern from the Irish Data Protection Commission (DPC), the main body responsible for overseeing X’s compliance with the General Data Protection Regulation (GDPR).

The Irish DPC quickly initiated legal proceedings against X, aiming to halt the processing of unauthorised data. However, privacy advocates, including the non-profit organisation noyb, have condemned the DPC’s response as insufficient. 

Noyb, led by privacy activist Max Schrems, has lodged complaints in nine countries, arguing that X’s actions violate several GDPR provisions. These complaints focus on the lack of transparency and consent in X’s data handling practices.

This situation has brought back the issue of personal data protection in the EU. Under the GDPR, companies are required to have a valid legal basis for processing personal data, typically through user consent. However, X has attempted to justify its actions under the “legitimate interest” clause — a defence that has already been dismissed by the European Court of Justice in similar cases involving other tech giants.

Despite this, X continued its data processing until early August 2024, without adequately informing users or offering them a chance to opt out. A setting allowing users to block data processing was only added in late July, long after the data had been ingested into the AI system.

Max Schrems and other privacy advocates are calling for more strict enforcement of GDPR regulations, noting that companies must obtain consent before using personal data for AI training or any other purposes. They argue that the current situation brings out the need for stronger oversight to prevent companies from bypassing user rights.

Meta recently notified users in the UK and Europe that, starting June 26, publicly shared information could be used to “develop and improve” its AI products. This includes posts, images, captions, comments, and Stories, but excludes private messages.

The European advocacy group NOYB (None of Your Business) has criticized Meta’s move, filing complaints with data protection authorities in 11 countries, including Austria, Belgium, France, and Germany. 

NOYB says that Meta’s use of years’ worth of user content constitutes an “abuse of personal data for AI.” The group has urged regulators to intervene and halt Meta’s plans, emphasizing that the changes contravene the EU’s General Data Protection Regulation (GDPR).

Meta, however, maintains that its approach complies with privacy laws and is similar to practices adopted by other major tech firms. The company insists that its use of public user data is essential for training AI systems to reflect the diverse cultures and languages of European communities. 

In a blog post from May 22, Meta stated that such data would enhance the rollout of its generative AI features, which include chatbots and image generators.

Individuals, including NOYB founder Max Schrems, argue that Meta should seek explicit user consent rather than relying on a complex opt-out process. 

Users who wish to object must utilize a form explaining how the data processing affects them, a process Schrems describes as “highly awkward” and potentially dissuasive. 

Schrems has also pointed out that the European Court of Justice has previously ruled against similar uses of user data by Meta for advertising purposes, questioning the legitimacy of the company’s current approach.

Meta’s policy shift has drawn attention to issues of data privacy and the ethical use of personal information in AI development. The Irish Data Protection Commission, which oversees Meta’s compliance with EU laws, has acknowledged receiving complaints from NOYB and is investigating the matter.

The complaints centre on concerns about transparency and the processing of children’s data on the Microsoft platform, potentially violating the European Union’s General Data Protection Regulation (GDPR).

The first complaint alleges a lack of transparency around data processing. noyb asserts that Microsoft’s contracts with schools attempt to shift responsibility for GDPR compliance onto them. 

Schools, however, lack the capacity to monitor or enforce Microsoft’s data practices, creating a situation where children’s data may be processed in ways that don’t comply with GDPR.

noyb further criticizes Microsoft for providing “consistently vague” information regarding data collection practices within Microsoft 365 Education. This lack of transparency makes it difficult, if not impossible, for parents and children to understand how their data is being used.

The second complaint highlights the use of tracking cookies within Microsoft 365 Education software. These cookies reportedly collect user browsing data and analyze user behaviour, potentially for advertising purposes. 

noyb says such tracking practices occur without the consent of users or the knowledge of the schools themselves, and there appears to be no legal justification for it under GDPR.

The GDPR mandates strong protections for children’s data, emphasizing transparency and accountability. Violations can result in significant fines, potentially reaching up to 4% of a company’s global annual turnover, which could translate to billions of dollars for Microsoft.

noyb has requested that the Austrian DPA investigate the complaints and determine the extent of data processing by Microsoft 365 Education. The company has also urged the authority to impose fines if GDPR violations are confirmed.

Microsoft has yet to respond to the complaints. While the company has a European headquarters in Ireland, noyb emphasizes the “locally relevant” nature of the complaints due to its focus on Austrian schools and children. This could lead to a faster investigation and potential enforcement action by the Austrian DPA.

The GDPR has resulted in hefty penalties for violations involving children’s data in the past, with major social media platforms like Meta and TikTok facing fines. 

Microsoft’s cloud services have also faced investigation in Europe, with the European Data Protection Supervisor raising issues about the EU’s own use of Microsoft 365. These latest complaints add to the ongoing legal complexities surrounding Microsoft’s cloud products in the European Union.