Does Shein Send Data to China? Irish Watchdog Investigates

Ireland has become a strategic base for many global tech firms because its corporate tax regime and EU membership simplify cross‑border operations. The Irish Data Protection Commission (DPC) therefore plays a pivotal role in enforcing the General Data Protection Regulation (GDPR), routinely auditing companies that process European personal data. By focusing on data‑transfer mechanisms, the DPC ensures that firms respect the EU’s strict rules on international data flows, especially when data moves to jurisdictions with divergent privacy standards.

Shein’s investigation centers on allegations that the fast‑fashion retailer routed European customers' personal information to servers in China without adequate legal safeguards. Under GDPR, such transfers require a valid mechanism—like Standard Contractual Clauses—or an adequacy decision, which China lacks. If the DPC confirms violations, Shein could face fines up to 4% of its worldwide turnover, potentially amounting to hundreds of millions of dollars, as well as mandatory remediation measures. The scrutiny also extends to the clarity of Shein’s privacy notices, a critical factor in demonstrating lawful processing.

The case underscores a broader industry trend: regulators are intensifying oversight of data practices for companies headquartered in Ireland, from cloud providers to e‑commerce platforms. Firms must reassess their data‑localisation strategies, invest in robust compliance frameworks, and enhance transparency with users. For businesses operating in the EU, proactive engagement with data‑protection authorities and adopting privacy‑by‑design principles are becoming essential to mitigate legal risk and preserve consumer trust.