In a significant legal development, a U.S. law firm has initiated a class action lawsuit against Lenovo, accusing the technology giant of facilitating the transfer of sensitive personal data from American users to entities in China. This legal move raises serious privacy and national security concerns, highlighting potential violations of the Department of Justice’s (DOJ) Data Security Program.
Allegations of Privacy Violations
The lawsuit, filed by the Almeida Law Group on behalf of San Francisco resident Spencer Christy, claims that Lenovo’s website tracking infrastructure enabled the unauthorized transfer of data. According to the complaint, these actions constitute a breach of the DOJ’s Bulk Sensitive Data Transfer Rule, posing risks to both individual privacy and national security.
The legal action, brought before the U.S. District Court for the Northern District of California, seeks to represent a nationwide class of users whose interactions with Lenovo’s website were allegedly monitored and utilized since April 8, 2025. The DOJ’s security measures, codified in April 2025, specifically aim to prevent countries of concern from accessing bulk sensitive data.
Tracking Technologies Under Scrutiny
Central to the case are claims that Lenovo utilized a range of tracking tools, including pixels, cookies, and scripts, to collect detailed user information. These technologies reportedly gathered persistent identifiers such as IP addresses and advertising IDs, alongside detailed browsing information.
The complaint further alleges that Lenovo incorporated tracking from major ad-tech companies like TikTok, Meta, and Google, facilitating large-scale data collection. It is asserted that data from over 100,000 U.S. users was potentially transmitted to Lenovo entities connected to China, meeting the DOJ’s criteria for bulk data.
Legal and Regulatory Implications
In addition to the DOJ rule, the lawsuit invokes federal and state privacy laws, including the Electronic Communications Privacy Act and California privacy statutes. The complaint argues that Lenovo’s practices involved unauthorized interception and disclosure of web communications.
The legal action also references Executive Order 14117, emphasizing the risks associated with cross-border data access, such as profiling and potential coercion. Lenovo’s own privacy policies are cited, acknowledging data transfers to the Lenovo Group and China, raising questions about compliance with DOJ regulations.
As the court proceedings unfold, the case underscores the complexities of modern data flows and the potential for regulatory challenges when these intersect with international relations and privacy concerns.
Stay informed with the latest updates on cybersecurity and data privacy by following us on Google News, LinkedIn, and X.
