Ireland’s Data Regulator Opens Inquiry Into SHEIN Over EU Data Transfers to China

Key Takeaways

• DPC Inquiry Launched: Ireland’s Data Protection Commission has opened a formal inquiry into Infinite Styles Services Co. Ltd. under the Data Protection Act 2018.
• Focus on Data Transfers to China: The investigation centers on SHEIN Ireland’s transfers of EU/EEA personal data to China and whether those transfers meet GDPR requirements.
• Core GDPR Provisions Under Review: The DPC will assess compliance with Article 5 (data processing principles), Article 13 (transparency), and Chapter V (third-country data transfers).
• Regulatory Scrutiny Increasing: The inquiry reflects broader regulatory focus across Europe on international data transfers, particularly involving China.

Deep Dives

Ireland’s Data Protection Commission has opened a formal inquiry into Infinite Styles Services, the Irish entity of SHEIN, examining how it transfers the personal data of EU and EEA users to China.

The inquiry, launched under Section 110 of the Data Protection Act 2018, was formally notified to SHEIN Ireland on April 30, 2026. It centers on whether the company has complied with its obligations under the General Data Protection Regulation when transferring personal data outside the European Union.

At issue is a core requirement of the GDPR. When personal data is moved beyond the EU, it must continue to receive protections that are “essentially equivalent” to those guaranteed within the bloc. The DPC said its investigation will assess how SHEIN Ireland has approached that obligation in practice.

The regulator will examine compliance across several specific areas of the GDPR framework, including the principles governing the processing of personal data under Article 5, the transparency requirements set out in Article 13, and the rules under Chapter V that apply to transfers of personal data to third countries.

In announcing the inquiry, Deputy Commissioner Graham Doyle said the issue of international data transfers, particularly to China, has come into sharper focus.

“When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU,” Doyle said.

He noted that recent regulatory action by the DPC, alongside complaints raised with other European supervisory authorities, has intensified attention on such transfers. The inquiry, he added, is a strategic priority, with the Irish authority intending to work closely with its European counterparts as the investigation progresses.

A Familiar Fault Line in GDPR Enforcement

The case highlights a longstanding challenge within the GDPR framework. While cross-border data transfers are permitted, they are tightly controlled to ensure that individuals’ rights are not weakened once data leaves the EU or EEA.

Under the regulation, transfers can proceed where the European Commission has issued an adequacy decision confirming that a third country provides a sufficient level of data protection. Such decisions have been granted to a defined group of jurisdictions, including countries such as Japan, the United Kingdom, and the United States.

Where no adequacy decision exists, organizations must rely on alternative safeguards, such as standard contractual clauses. In those cases, companies are responsible for verifying and demonstrating that the legal and practical conditions in the receiving country provide a level of protection essentially equivalent to that guaranteed within the EU.

The DPC’s inquiry into SHEIN Ireland will examine how those requirements have been applied in this instance, as regulators continue to scrutinize the complexities of global data flows and the safeguards designed to govern them.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.