US Law Firm Accuses Lenovo of Bulk Data Transfers to China

A U.S This article explores alleging lenovo violated. . law firm has filed a proposed class action alleging that Lenovo violated the Justice Department's Data Security Program rules by enabling "bulk" transfers of Americans' sensitive identifiers and browsing context to entities associated with China through its website tracking and advertising infrastructure.

According to the complaint, which was submitted by Almeida Law Group on behalf of Spencer Christy, a resident of San Francisco, the alleged behavior poses a risk to national security as well as privacy under the DOJ's Bulk Sensitive Data Transfer Rule (28 C.F.R. Part 202). The case, which was brought against Lenovo United States Inc. in the U.S. District Court for the Northern District of California (San Francisco Division), aims to proceed on behalf of a nationwide class of U.S.

users who, on or after April 8, 2025, allegedly had their electronic communications with Lenovo's website intercepted and used. The filing states that in April 2025, DOJ implemented the "Data Security Program," which is codified at 28 C.F.R. Part 202, to limit or forbid covered data transactions that give bulk sensitive personal data about Americans to countries of concern or "covered persons" associated with them.

The complaint highlights the rule's emphasis on preventing adversaries from obtaining vast amounts of behavioral data that could be used for surveillance or exploitation, and it names "countries of concern" as China, Cuba, Iran, North Korea, Russia, and Venezuela.

The case revolves around claims that Lenovo installed a variety of tracking technologies on Lenovo.com, including pixels, scripts, cookies, and real-time bidding components that gather persistent identifiers (such as IP addresses, advertising IDs, and cookie data) and "full-string URLs" that reveal the pages and products viewed. According to the filing, Lenovo incorporated tracking from prominent ad-tech and analytics providers, such as Microsoft, Google, Adobe, TikTok, Meta/Facebook, Index Exchange, Snap, and others, and these elements made data collection easier. According to the plaintiff, Lenovo gathered or kept information about over 100,000 Americans, which satisfied the rule's "bulk" requirement for covered personal identifiers.

The company then allegedly sent or made the information available to "covered persons," including Chinese-affiliated Lenovo Group companies.

According to the complaint, Lenovo is a "U.S. person" under the rule, but Lenovo Group is a "covered person" because of its organizational and/or operational ties to a country of concern. As a result, some transfers would be restricted or forbidden unless certain security requirements were fulfilled. Additionally, it claims that contractual clauses alone would not meet the DOJ rule's required controls for restricted transactions, citing Lenovo's privacy statement as acknowledging transfers of personal information within the Lenovo Group and to the People's Republic of China.

The case demonstrates how common ad-tech data flows, persistent IDs, and URL-level context can be framed as "bulk sensitive personal data" when aggregated and connected to covered persons in countries of concern, even though the accusations are unverified and will be contested. The lawsuit specifically links these purported transfers to the implementing framework of Executive Order 14117, contending that cross-border access to behavioral data can make it possible to profile people in sensitive roles and raise the possibility of coercion or blackmail. The complaint asserts federal and California privacy claims, including alleged violations of the Electronic Communications Privacy Act (ECPA) and California privacy statutes, based on the interception and use/disclosure of web communications without valid consent, in addition to the DOJ rule theory.

X, LinkedIn, and LinkedIn for daily ZeroOwl.

To have your stories featured, get in touch with us.