When consumer protection meets state surveillance

How buying goods from online retailers based in China means giving away far more than you bargained for.

I had just completed my draft paper on examining consumer rights for digital products and discovered during my research that there were several reports and commentaries about the popular retailers TEMU and SHEIN. One was a YouTube discussion about TEMU [1], the others were European Commission reports on both SHEIN [2] and TEMU [3].

Despite their popularity with consumers, a concerning theme was emerging in that both companies had been accused of not meeting the standards required under UK and EU regulatory laws. Indeed, both TEMU and SHEIN are currently under investigation by the Consumer Protection Cooperation (CPC) Network [4] for selling unsafe and illegal products, with TEMU having already been found to be in breach of the Digital Services Act (Regulation (EU) 2022/2065. [5] 

Accusations levied towards both TEMU and SHIEN include:

• fake discounts,
• engaging in pressure selling,
• providing misleading information about product safety,
• fabricating reviews,
• hiding behind layers of corporate anonymity. 

All of which can be addressed via existing statutory laws in both the UK and the EU. In the UK, for example, the Consumer Rights Act 2015 (CRA) and the Digital Markets, Competition and Consumers Act 2024 (DMCCA 2024) would apply. In the European Union, the relevant directives are the Unfair Commercial Practices Directive (2005/29/EC) and Directive (EU) 2019/770 on digital content. 

In addition to these, the Digital Services Act (Regulation (EU) 2022/2065) further strengthens existing protections by imposing duties of transparency, accountability, and due diligence on large platforms such as TEMU and SHEIN. 

Yet, despite these protections and the accusations, both SHEIN and TEMU continue to grow with abundance and at great speed.

In 2023, SHEIN reported sales of approximately USD$32.5 billion [6], while TEMU, via PDD Holdings, reported revenues exceeding USD$35.5 billion. [7] Together, accounting for a reasonable share of the $4 trillion global online retail trade market.

So, what is really going on here and why do the consumer laws appear powerless to stop them?

Well, both companies are based in China. 

The UK and EU regulatory laws have no jurisdiction in China and despite these regulatory laws being in existence, they remain largely ineffective when it comes to stopping companies that operate outside their domestic laws. 

You see, the UK and EU consumer laws are restricted to focusing in on what they can see: the item that you order, the reviews you read, and the price you pay within their borders. What they don’t address is the invisible systems behind them, what makes them work and who has access to them beyond their sphere of influence. This is where the most significant risk lies when dealing with online organisations.

When you look at SHEIN and TEMU, and especially China, research reveals a much darker picture. One that extends far beyond the realms of defective goods and deceptive advertising. Terrifyingly, from the darkness emerges profound questions about your privacy, your data, and especially red flags about what Chinese state surveillance are doing with it.

What consumers won’t see

In October 2025, Ken McCallum, the Director-General of the Security Service (MI5), warned in his annual threat update, of the growing threat and challenge posed by the Chinese state to the United Kingdom. [8]

Although Ken did not specifically mention TEMU and SHEIN in his address, his comments still highlighted the risk of foreign powers leveraging digital platforms for surveillance and data acquisition.

As a consumer, engaging with platforms such as SHEIN and TEMU would typically involve you transferring extensive personal information about yourself, some of which includes: 

• names,
• addresses,
• payment details,
• browsing patterns,
• geolocation data. 

Now, while most of this is routine in global e-commerce transactions, and in most cases you would feel safe about doing so, it takes on a whole new meaning when the data is processed under a Chinese legal framework.

For example, Chinese law imposes far-reaching obligations on organisations and individuals to cooperate with state intelligence. The National Intelligence Law 2017 [9] includes:

• Article 7 obliges “all organisations and citizens” to support, assist, and cooperate with national intelligence efforts.
• Article 9 rewards individuals who contribute to such efforts.
• Article 10 authorises intelligence agencies to collect and process information related to national security interests, without territorial limitation.
• Article 16 permits these agencies to access restricted areas, conduct investigations, and question persons or entities, regardless of their location.

In practice, these provisions mean that Chinese companies cannot lawfully refuse state requests for data and are prohibited from disclosing such cooperation. Or in simple terms, we, the consumer, have no idea what SHEIN and TEMU are doing with our data nor what the Chinese intelligence community are doing with it either.

The Cybersecurity Law of 2017 [10] further complements this framework through the Multi-Level Protection Scheme (MLPS), which classifies information systems by sensitivity and mandates compliance.

• Article 28 requires network operators (meaning social media) to provide “technical support and assistance” to public security and national security bodies.
• Article 37 mandates that operators of critical information infrastructure store personal and important data within mainland China.

Or in other words, when a Chinese company claims to host data overseas, then the Chinese authorities can compel them to provide access and assurances of foreign data storage, and there is little they can do about it. 

Why regulators are struggling

Existing consumer and data protection regimes in the UK, the EU, and the USA are not designed to confront the new convergence of commerce and national security.

The Consumer Rights Act 2015 and the General Data Protection Regulation (GDPR) in the UK may provide remedies for defective goods and data misuse in the UK and across Europe. Yet neither can handle the scenario where a foreign government compels a business to hand over its consumer data under the pretext of national security.

In the United States, they too face similar issues. Regulatory bodies such as the Federal Trade Commission (FTC) [11] and the Consumer Product Safety Commission (CPSC) [12]  may be able to pursue false advertising and safety breaches but they too lack the statutory authority to assess whether digital marketplaces pose an intelligence risk to their country and their citizens. 

Despite European regulators having now begun the process of tackling fake reviews and manipulative app designs, they too still cannot restrict data being processed under foreign surveillance laws, even when it is being done right under their legislative noses. Now that is scary.

What needs to happen next

To address the risk, we need a new modernised regulatory framework. One that acknowledges that consumer protection, data governance, and national security are all intertwined.

The following steps have been outlined to propose a path for future reforms.

1. Transparency obligations: Platforms should disclose whether they are subject to foreign intelligence or data-access laws. Consumers deserve to know who may lawfully access their data and, more importantly, what will be done with it.
2. Risk-based restrictions: Platforms that pose surveillance or data exfiltration risks should face restrictions or bans and unsafe digital platforms should be treated like unsafe physical products are treated.
3. Integrated legal frameworks: Effective governance must involve cross-agency cooperation between consumer bodies, data regulators, and national security agencies.

Michael Anwyll

Michael is a first-year student on the graduate law degree with the Open University. He is a procurement professional by career and has over 40 years of experience negotiating complex contracts in both the public and private sectors. 

He spent a couple of years running an international master-of-laws program at Chulalongkorn University in Thailand and earned his LLM in IT and Telecommunications Law in 2007. 

He has always wanted to do law as a bachelor’s degree, but never quite got around to it. However, he was fortunate enough to receive a disabled veteran’s scholarship to start his LLB studies with the OU this year and feels very privileged to be learning about a subject he has always been passionate about. He now wonders why it took him so long to get here.
 

References