Lenovo denies allegations of transferring data to China — class action lawsuit alleges company uses trackers to expose American behavioral data to ‘foreign adversaries’

U.S.-based Almeida Law Group, which specializes in class-action litigation, has filed a lawsuit against Lenovo, alleging that Lenovo transferred large amounts of data to China. According to the lawsuit [PDF], the company’s actions violate the U.S. Department of Justice’s Data Security Program, which prevents the transfer of large amounts of sensitive personal data to “countries of concern” or “covered persons.” Lenovo has denied the allegations.

“The DOJ Rule was thus implemented to prevent adversarial countries from acquiring large quantities of behavioral data which could be used to surveil, analyze, or exploit American citizens’ behavior,” the lawsuit said. It also added, “In direct violation of the DOJ Rule, Lenovo—through its automated advertising infrastructure and associated databases—transmits Plaintiff’s and potentially millions of other American consumers’ data to China.”

The Plaintiff here refers to one Spencer Christy of San Francisco, California, and “all other similarly situated,” with the case alleging that Lenovo and its Chinese parent company linked his “browsing activity to his identity, track his behaviors, and build detailed profiles reflecting his interests, locations, habits and other private attributes.” It further said that the data is more than just an invasion of privacy, but “a direct threat to national security as it greatly increases the potential for coercion, reputational harm, and/or blackmail.”

Lenovo is far from the only company gathering such data, but the U.S. Entity’s parent, Lenovo Group Limited, is incorporated in Hong Kong, with its headquarters located in Beijing, China. Furthermore, its largest shareholder is Legend Holdings Corporation, a Beijing-based investment firm established by the Chinese Academy of Sciences, a state institution of the People’s Republic of China.

So, aside from being based in one of the “countries of concern,” it also falls squarely under the “covered persons” provision of the DOJ regulation which include “individuals who either reside in ‘countries of concern’ or are controlled by entities in those countries or (ii) entities that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, or are owned 50% or more by such entities.” More than that, the lawsuit asserts that Lenovo Group is subject to Chinese regulations like the National Intelligence Law, Cybersecurity Law, and Data Security Law, which compel individuals and institutions to cooperate with the authorities when asked for data.

When asked for comment, Lenovo told The Register, “Any suggestion that Lenovo improperly shares customer data is false. We take data privacy and security seriously and comply with all applicable data protection laws and regulations globally, including stringent U.S. Requirements. Our data practices are transparent, lawful, and designed to protect our customers.”

Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.