US Law Firm Accuses Lenovo of Bulk Data Transfers to China

A U.S. law firm has filed a proposed class action alleging that Lenovo’s website tracking and advertising infrastructure enabled “bulk” transfers of Americans’ sensitive identifiers and browsing context to entities tied to China, in violation of the Justice Department’s Data Security Program rules.

The complaint, filed by Almeida Law Group on behalf of San Francisco resident Spencer Christy, frames the alleged conduct as both a privacy harm and a national security risk under the DOJ’s Bulk Sensitive Data Transfer Rule (28 C.F.R. Part 202).

The lawsuit was filed in the U.S. District Court for the Northern District of California (San Francisco Division) against Lenovo United States Inc. and seeks to proceed on behalf of a nationwide class of U.S. users whose electronic communications with Lenovo’s website were allegedly intercepted and used on or after April 8, 2025.

According to the filing, DOJ implemented the “Data Security Program” in April 2025, codified at 28 C.F.R. Part 202, to restrict or prohibit covered data transactions that provide countries of concern or “covered persons” linked to them access to Americans’ bulk sensitive personal data.

The complaint lists “countries of concern” as China, Cuba, Iran, North Korea, Russia, and Venezuela, and notes the rule’s focus on preventing adversaries from acquiring large quantities of behavioral data that could be used for surveillance or exploitation.

At the center of the case are allegations that Lenovo embedded numerous tracking technologies on Lenovo.com, such as pixels, scripts, cookies, and real-time bidding components that collect persistent identifiers (including IP addresses, advertising IDs, and cookie data) along with “full-string URLs” revealing pages and products viewed.

The filing claims Lenovo integrated tracking from major ad-tech and analytics vendors (including TikTok, Meta/Facebook, Microsoft, Google, Adobe, Index Exchange, Snap, and others) and that these components facilitated collection at scale.

The plaintiff alleges Lenovo collected or maintained data relating to more than 100,000 U.S. persons, meeting the regulation’s “bulk” threshold for covered personal identifiers, and then transmitted or made that data accessible to “covered persons,” including Lenovo Group entities tied to China.

The complaint further argues that Lenovo is a “U.S. person” under the rule, while Lenovo Group qualifies as a “covered person” due to organizational and/or operational nexus to a country of concern, and therefore, certain transfers would be prohibited or restricted unless specific security requirements were met.

It also cites Lenovo’s privacy statement as acknowledging transfers of personal information within the Lenovo Group and to the People’s Republic of China, and claims contractual clauses alone would not satisfy the DOJ rule’s required controls for restricted transactions.

While the allegations are unproven and will be contested, the case highlights how standard ad-tech data flows, persistent IDs, plus URL-level context, can be framed as “bulk sensitive personal data” when aggregated and linked to covered persons in countries of concern.

The lawsuit explicitly connects these alleged transfers to Executive Order 14117’s implementing framework, arguing that cross-border access to behavioral data can enable profiling of individuals in sensitive roles and increase coercion or blackmail risk.

Beyond the DOJ rule theory, the complaint also asserts federal and California privacy claims, including alleged violations of the Electronic Communications Privacy Act (ECPA) and California privacy statutes, based on interception and use/disclosure of web communications without valid consent.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.