The Irish Data Protection Commission (DPC) has launched an investigation into how Shein, a fast-growing online retailer, handles the transfer of customer data from the European Union (EU) and European Economic Area (EEA) to China. The investigation seeks to determine whether Shein Ireland has adhered to its obligations under the General Data Protection Regulation (GDPR) regarding cross-border data transfers.
Under GDPR, companies transferring personal data of EU citizens to non-EU countries are required to ensure that proper protections are in place, equivalent to those within the EU. This regulatory framework aims to safeguard personal information and prevent misuse.
Deputy Commissioner Graham Doyle highlighted that increasing regulatory actions and complaints across Europe have placed greater scrutiny on data transfers to China. "Recent regulatory action and complaints across Europe [have] placed data transfers to China under increased scrutiny", Doyle said. He also described the investigation as a strategic priority for the DPC, emphasizing its intent to collaborate with other European supervisory authorities throughout the process.
A spokesperson for Shein responded, stating that the company takes its data protection responsibilities "extremely seriously" and is committed to complying with GDPR and other relevant data privacy laws. The retailer also noted that it has been actively engaging with the Irish regulator in recent months regarding its data protection practices. The company expressed a commitment to maintaining high standards in data handling and customer security through ongoing initiatives.
This investigation represents the latest in a series of regulatory challenges faced by Shein as European authorities intensify oversight of cross-border data management, ecommerce compliance, and digital consumer protection. For the Irish DPC, ensuring GDPR compliance in situations involving international data transfers remains a critical focus in the context of growing global ecommerce.