Ireland Probes Shein: Is Your Shopping Data Ending Up in China?

.

Europe's Top Privacy Watchdog Turns Its Attention to Fast Fashion

Ireland's Data Protection Commission (DPC) has opened a formal inquiry into Shein, the Chinese ultra-fast fashion retailer, over concerns about how it handles the personal data of European customers. The investigation targets Shein's European, Middle East and Africa (EMEA) headquarters in Dublin, which has served as the company's EU base since 2023.

The DPC is one of Europe's most powerful privacy regulators. Because many global tech and retail companies have chosen Ireland as their EU headquarters, the DPC acts as their lead regulator across all 27 EU member states.

What the Investigation Is About

At the heart of the inquiry is a fundamental question: When a European customer shops on Shein's platform, does their personal data — names, addresses, payment details, browsing habits — get sent to servers in China? And if so, is it protected to the same standard required under European law?

Under the EU's General Data Protection Regulation (GDPR), any transfer of personal data to a country outside the European Union must come with equivalent privacy safeguards. China's domestic data laws, which give Chinese authorities broad access to company data, make this a complicated issue for any Chinese-owned platform operating in Europe.

The DPC's Deputy Commissioner Graham Doyle stated publicly that data transfers to China have come under particular scrutiny following recent enforcement actions — and that the Shein inquiry is a "strategic priority" for the commission.

The TikTok Precedent — and What It Means for Shein

This is not the first time the DPC has gone after a major Chinese platform over data transfers. In May 2025, the commission fined TikTok a staggering 530 million euros — roughly $619 million — and ordered the video app to suspend all data transfers to China until it could demonstrate full compliance with GDPR rules. That order is currently on hold while TikTok's appeal works its way through the Irish courts.

The TikTok case set a clear signal: the DPC is prepared to act decisively against Chinese-owned companies that cannot prove their users' data is safe from access by the Chinese Communist Party (CCP). Critics have long argued that Chinese national security laws effectively compel Chinese companies to cooperate with state intelligence requests — a concern that sits at the core of these privacy investigations.

Shein Responds: "We Take Compliance Seriously"

Shein, for its part, says it has been cooperating with Irish authorities and is committed to following EU privacy law. A company spokesperson stated that Shein has been "actively engaging with the DPC in recent months" and described the company as "fully committed" to GDPR compliance.

The statement offers reassurance, but regulators and privacy advocates have heard similar pledges before — including from TikTok, which ultimately faced a record fine. The DPC's inquiry will now independently assess whether Shein's data practices actually meet the required legal standards, regardless of the company's public commitments.

A Broader Pattern: Chinese Platforms Under the Microscope

The Shein investigation fits into a wider pattern of scrutiny aimed at Chinese technology and e-commerce companies active in Western markets. Concerns about data security, supply chain transparency, and the influence of the Chinese Communist Party over nominally private companies have prompted regulatory action on both sides of the Atlantic.

Since 2020, the DPC has issued more than 4 billion euros in GDPR fines in total — making it one of the most active enforcement bodies in the EU. With the Shein probe now designated a strategic priority, the commission appears ready to extend this enforcement track record into the fast-fashion sector.

What Comes Next

The DPC has not set a public timeline for concluding its inquiry. Investigations of this type can take months or even years, and may result in fines, data transfer suspensions, or binding orders requiring Shein to change its practices.

For the millions of European shoppers who use Shein's platform, the outcome could have direct consequences — either in the form of stronger data protections, or as part of a broader reckoning with the risks of sharing personal information with platforms tied to a state that does not share Western privacy values.

.

Sources

1. Reuters – Ireland's DPC opens inquiry into Shein over EU data transfers to China (May 5, 2026): https://www.reuters.com/sustainability/boards-policy-regulation/irish-data-protection-agency-launches-inquiry-into-shein-ireland-2026-05-05/
2. Reuters – TikTok fined 530 million euros by EU regulator over data protection (May 2, 2025): https://www.reuters.com/sustainability/boards-policy-regulation/tiktok-fined-530-million-euros-by-eu-regulator-over-data-protection-2025-05-02/
3. Ireland's Data Protection Commission – Official website and enforcement tracker: https://www.dataprotection.ie/
4. European Parliament – GDPR overview and transfer rules: https://www.europarl.europa.eu/topics/en/article/20191008STO62638/eu-data-protection-rules

.