Shein data transfer inquiry: cross-border data risk is back in focus with Ireland’s Data Protection Commission

Ireland’s Data Protection Commission has opened an inquiry into Infinite Styles Services Co. Ltd., known as SHEIN Ireland, on 5 May 2026.  The inquiry concerns transfers of personal data of EU/EEA data subjects to China.

However, this is not just a story about 1 retailer.

The DPC says transfers to China are now an “important strategic priority,” and the inquiry will examine GDPR principles, transparency obligations, and Chapter V transfer requirements

Ireland’s Data Protection Commission is the lead EU regulator for many global technology firms. And the DPC has levied more than fines since 2020. There is a specific trend of interrogating China-related data transfers, including TikTok. There is a specific trend of interrogating China-related data transfers, including TikTok.

For senior enterprise leaders, with operations this is a signal. The practical question that is increasingly being asked is; whether the business can prove what personal data moved, why it moved, who accessed it, what safeguards applied, and whether those safeguards still hold as vendors, systems, hosting regions, and business purposes change.

That is where these headlines involving cross-border data risk are becoming bigger than privacy paperwork. It becomes a live governance issue for any organization that relies on global platforms, cloud infrastructure, vendors, sub-processors, analytics tools, AI systems, or international support teams.

What is the Shein data privacy inquiry really testing?

The DPC inquiry concerns SHEIN Ireland’s transfers of personal data of EU/EEA data subjects to China. According to the regulator, the investigation will examine whether SHEIN Ireland has complied with three core areas of the GDPR:

1. the data protection principles under Article 5,
2. the transparency obligations under Article 13, and
3. the Chapter V rules governing transfers of personal data to third countries.

On paper, this may sound like a technical compliance review. In practice, it goes to the heart of how global digital businesses understand, document, and control the movement of personal data across their operating models.

Consider a typical European customer journey. A customer creates an account with an e-commerce platform, browses products, places an order, makes a payment, receives delivery updates, contacts customer support, and later receives personalized offers. That one, single journey may involve a broad range of sensitive data; account data, order details, payment information, delivery data, browsing behavior, device information, analytics data, and customer service records.

Those data points rarely remain in one self-contained system. Usually they move through payment providers, logistics partners, customer service teams, analytics tools, cloud environments, group entities, sellers, marketing platforms, and sub-processors.

Research on China-EU cross-border e-commerce makes it clear: it is common practice that global platforms can then collect order data, delivery data, payment data, browsing data, device and connection data, location data, and other behavioral information as part of ordinary online commerce.[1]

So, the issue is not simply whether data moved. It is whether the organization can show all the places where it moved, who touched it, why the transfer was needed, what safeguards applied, and whether their original assessment still reflects how the platform works today.

That is the detail many global businesses should pay attention to. The Shein inquiry is not just about cross-border transfers in the abstract. It is about growing concern over whether a high-volume digital business can evidence how personal data travels through a global operating model.

While this is the first privacy investigation into SHEIN specifically since it opened it’s EMEA headquarters in 2023, there is a clear broader crackdown, as evidenced by the DPC imposing more than €4bn in GDPR fines since 2020. That wider context matters. This is not a minor administrative issue. It sits inside a broader regulatory focus on how global technology and platform businesses handle European personal data.

Why do transfers to China raise the evidence bar for cross-border data transfers?

While this reflects a wider trend of scrutiny into EU-Chinese trade relations, transfers to China are not automatically unlawful.

The real issue is that China does not have an EU adequacy decision. An adequacy decision would signify the European Commission has decided that a country provides a level of data protection that is close enough to the EU standard. Where that decision exists, personal data can generally flow more easily.

China does not currently have that status.

The DPC’s background note explains that where no adequacy decision exists, transfers outside the EU/EEA can only occur if other, more stringent Chapter V conditions are met, such as Standard Contractual Clauses. The organization must also verify, guarantee, and demonstrate that the law and practices of the receiving country provide protection essentially equivalent to that guaranteed in the EU.

That turns cross-border data transfer compliance into an evidence question.

It is not enough to say:

• “We have SCCs.”
• “We did a privacy review.”
• “The vendor confirmed it was compliant.”
• “We covered this during onboarding.”

A regulator, customer, auditor, or board may now ask something far more specific:

• What data was transferred?
• What was the transfer mechanism?
• Was a Transfer Impact Assessment completed?
• Were the receiving country’s laws and practices assessed?
• What supplementary safeguards were applied?
• Who approved the decision?
• What changed after approval?
• Can you show the audit trail?

The fact of the data being handled by a country without the adequacy decision (like China) makes those questions sharper. The issue is now not just the written privacy law.

Academic research on China’s data regime notes that while China’s Personal Information Protection Law has features that draw closer to the GDPR, the real concerns remain around effective implementation, enforcement, public authority access, and national security. [2] These raise far more complex questions to answer.

The wider geopolitical signal: What does Chinese technology scrutiny have to do with data privacy worldwide ?

It would be easy to treat this as a retail story. That would miss the bigger point.

Cross-border data transfers sit underneath modern business. They support cloud computing, customer relationship management, digital services, supply chain coordination, financial transactions, service delivery, and international trade. But those same flows also introduce privacy, security, and regulatory complexity.

That complexity is no longer confined to the privacy team.

The same data flow may now touch:

• vendor risk
• customer trust
• cloud governance
• cyber risk
• regulatory exposure
• service continuity
• procurement
• geopolitical risk
• board reporting

That is why the Shein inquiry should not be read in isolation. The DPC’s focus on transfers of EU/EEA personal data to China sits inside a wider European debate about Chinese technology, data sovereignty, cyber risk, and supplier dependency.

Reuters reported that proposed EU cybersecurity rules to phase out Chinese suppliers from critical sectors could cost the bloc more than $300bn between 2026 and 2030, according to a Chinese industry study carried out by KPMG for the China Chamber of Commerce to the EU.[3]

While of course, the proposal is separate from the Shein inquiry, but the underlying concern is connected: European institutions are increasingly asking how data, infrastructure, suppliers, and sovereignty interact.

For business leaders, the point is not to treat every China-linked supplier or data transfer as automatically high risk. That would be too blunt. The point is that regulatory scrutiny is moving toward context.

Where does the data go? Who can access it? Is the supplier part of a wider technology dependency? Could the service be disrupted if laws change? Does the business understand which jurisdictions, sub-processors, hosting regions, and support teams sit behind the service?

The risk categories are converging. Research identifies cross-border data flow risks across sovereignty and jurisdiction, cybersecurity and infrastructure, privacy and data protection, economic and trade restriction, and emerging environmental and sustainability risks.[4] The same study notes that cross-border data governance is becoming central to digital trade regulation as governments try to balance data movement with regulatory sovereignty and policy flexibility.

Put in business terms, the same data flow can touch compliance, cyber, procurement, resilience, ESG infrastructure, customer trust, and commercial continuity. A customer data transfer to an overseas provider may look like a privacy issue at first. But if that provider uses cloud infrastructure in another region, relies on a chain of sub-processors, supports a critical customer-facing service, or sits in a jurisdiction subject to changing political or security scrutiny, the risk is wider than a privacy clause in a contract.

That is the real leadership lesson. Cross-border data transfer risk can no longer be managed as a standalone privacy document. It needs to be connected to third-party risk, cyber risk, operational resilience, legal review, procurement, and board reporting. Otherwise, leaders may know that a transfer mechanism exists, but not whether the wider risk is still acceptable as the business, supplier network, or regulatory environment changes.

Why SCCs and TIAs matter more in this environment

Standard Contractual Clauses, or SCCs, are widely used by companies transferring personal data outside the EU/EEA. They remain important because they create contractual obligations between the data exporter and importer. But they do not, by themselves, control everything that matters. They do not automatically neutralize local law risk, public authority access risk, onward transfer risk, cyber exposure, or weak operational oversight.

While SCCs are widely used where there is no adequacy decision, but a recent European ruling reinforced the need for organizations to also assess whether the recipient country offers an equivalent level of protection and to implement supplementary measures such as encryption, pseudonymization, and risk assessments where needed. [5]

This is because SCCs are contractual mechanisms binding the exporter and importer, but they cannot bind public authorities in the third country because those authorities are not party to the contract. Hence, organizations need to assess the destination country’s laws and practices and consider supplementary measures.

In practice, that means organizations need to be able to show why the transfer remains defensible. Not just at the point of signature, but over time. A Transfer Impact Assessment should therefore answer practical questions:

• what data is being transferred,
• which country is receiving it,
• what transfer mechanism applies,
• what local law risks exist,
• what supplementary safeguards are in place, and
• what would trigger reassessment.

This is where TIAs need to become operational. A TIA should not be a document completed once and stored away. It should sit inside the workflow where transfer risk is created or changed: vendor onboarding, new sub-processor approval, hosting-region changes, new analytics use cases, AI data reuse, group-company access, or changes to support arrangements.

That is the difference between having transfer paperwork and having transfer governance.

The useful question for senior leaders is not, “Do we have SCCs?” It is:

• Can we show which transfers rely on SCCs?
• Can we show which transfers involve countries without adequacy decisions?
• Can we show the latest TIA?
• Can we show what supplementary measures are in place?
• Can we show whether the vendor added sub-processors?
• Can we show whether hosting regions, access rights, or data purposes changed?
• Can we show who reviewed and approved those changes?

If the answer depends on chasing old emails, procurement records, spreadsheet trackers, and static privacy documents, the operating model is not strong enough for the risk.

Read our practical guide to building a proactive, always-on data privacy program.

What should senior enterprise leaders ask now?

For senior leaders, the most important practical test is whether the business can answer simple questions without a scramble.

• Where is EU/EEA personal data stored, accessed, processed, and transferred?
• Which vendors, sub-processors, group entities, support teams, and cloud environments touch it?
• Which transfers involve countries without an EU adequacy decision?
• What transfer mechanism applies?
• Has the receiving country’s law and practice been assessed?
• What supplementary measures are in place?
• Who owns the transfer risk?
• What business changes trigger reassessment?
• Can the organization show decisions, approvals, safeguards, and changes over time?

If the answer depends on chasing old emails, spreadsheets, procurement records, screenshots, or disconnected DPIAs, the governance model is not strong enough.

This is not about blaming privacy teams. In many organizations, privacy teams are trying to govern fast-moving data flows with fragmented tools and stale inputs.

That operating model does not match the speed of the risk.

What good cross-border data governance looks like

Good cross-border data governance is not about creating more documents. It is about connecting the documents to the way the business actually works.

A stronger model should give the organization:

• a live map of personal data flows, including third countries and sub-processors
• clear ownership for high-risk transfers
• Transfer Impact Assessments embedded into vendor and change workflows
• records of the transfer tool, safeguards, approvals, and reassessment triggers
• contract terms that match reality, including access, retention, incident response, onward transfer, and end-of-contract handling
• dashboards that show exposure, not just completed tasks
• escalation routes when risk changes

Our data privacy guide explains the concept of moving from documentation to operating model. A modern privacy strategy needs clear decision points, named owners, trigger-based reassessment, a single source of truth for processing, vendors, transfers and controls, and an audit trail that can be defended without scrambling across inboxes.

That is the practical lesson to take from the Shein inquiry.

Regulators are not only asking whether companies have privacy documents. They are asking whether organizations can prove that cross-border data transfers remain lawful, transparent, safeguarded, and controlled as the business changes.

Conclusion: from data privacy compliance to confidence

Cross-border data risk is becoming harder to separate from third-party risk, cyber risk, cloud governance, AI governance, and geopolitical exposure.

The companies that handle it well will not be the ones with the longest policy documents. They will be the ones that can show, clearly and quickly, where data goes, who touches it, what protects it, and what changed since the last review.

That is where privacy becomes more than a compliance obligation. Done well, it gives leaders confidence that the business can move quickly without losing control of the data it depends on.

Want to assess whether your privacy program is built for live cross-border data risk? Read our practical guide to building a proactive, always-on data privacy program.

FAQ on SHEIN Ireland DPC inquiry and cross-border data risk

---

References and further reading

[1] Yu, L. (2023) The Regulation of Transborder Data Flows from the EU to China Within the Framework of China-EU E-Commerce under the GDPR. Dissertation. Georg-August-Universität Göttingen.

[2]  Voss, W.G. and Pernot-Leplay, E. (2024) “China Data Flows and Power in the Era of Chinese Big Tech”, Northwestern Journal of International Law & Business, 44(1), pp. 1–68.

[3]   Reuters (2026) “EU plan to phase out Chinese tech could cost bloc over $300 billion, Chinese study says”, 6 May. Reuters reports that a China Chamber of Commerce to the EU study, carried out by KPMG, estimated potential EU costs of €367.8bn between 2026 and 2030 if Chinese suppliers are phased out from critical sectors under proposed cybersecurity rules.

[4] Shi, Y. (2025) “Risk Prevention in Global Cross-Border Data Flows: Challenges and China’s Strategic Responses”, International Journal of Digital Law and Governance, 2(2), pp. 373–399.

[5] Iqbal, S. (2025) “Cross-Border Data Transfers and Privacy Regulations: The Future of the GDPR and Beyond”, Business Law International, 26(3), pp. 217–233