小红书涉嫌违反 UK GDPR 和 DPA 2018

小红书用户隐私政策

小红书与 rednote 用户以手机号码区分，本政策适用于小红书用户，即通过中国大陆地区手机号码进行注册的用户和 2025 年 12 月 8 日 之前已经使用非中国大陆地区手机号注册成为小红书用户。

大概是出于 IPO 考虑，小红书在 25 年末因数据合规而分割出了 Rednote，后者遵从各经济区的数字法案，例如 EEA 区域的 GDPR 和 UK 的 UK GDPR 和 DPA 2018。众所周知，微信绑定非中国大陆（+86）手机号即可切换为 WeChat 并开启 iOS Callkit；但小红书的用户区域标记取决于注册手机号， 这意味着即使你不再是中国大陆居民，个人数据仍然会被非法存储于中国大陆的数据中心，并被非法访问和使用 ¹。

小红书账号被禁言后，必须使用中国大陆居民身份证或者外国人永久居留身份证，并通过人脸识别，才能自主解封。作为一个社交媒体平台，居然想获取生物识别信息，这是严重违反了 GDPR 中的 Data Minimisation 原则。

The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

根据 UK GDPR 的阶梯式处罚机制，涉及跨境数据传输和强制/非法收集生物识别数据的罚金上限为：最高 1,750 万英镑；或者全球年度总营业额的 4%（以较高者为准）。

• 2023 年，TikTok 曾因涉及儿童隐私和不当处理数据被 ICO 处以 1,270 万英镑的罚款。
• 2022 年，Clearview AI Inc 因从社交媒体上收集、分析英国居民的人脸数据，被 ICO 处罚金 750 万英镑。“The ruling reaffirms that companies that wish to monitor the behaviour of UK residents will be in scope of UK data protection law, regardless of where the company is based in the world.”

投诉模板

To: [email protected]

To the Data Protection Officer / Legal Department,

I am writing to you as a data subject residing in the United Kingdom. I am currently using your platform [Xiaohongshu / RedNote] (User ID: [填写你的ID/号]).

1. The Issue I object to the mandatory requirement for real-name authentication involving the submission of government-issued identification (ID) to access or continue using your services.

2. Legal Grounds under UK Law

• Data Minimisation (Article 5(1)(c) of the UK GDPR): Under UK law, personal data must be adequate, relevant, and limited to what is necessary. Requiring full identity documents for a social media platform is excessive and disproportionate to the service provided.

• Lawfulness of Processing (Article 6 of the UK GDPR): There is no legal obligation under the Data Protection Act 2018 or other UK statutes that requires social media users to provide official IDs for general platform use.

• Right to Object (Article 21 of the UK GDPR): I hereby exercise my right to object to the processing of my sensitive biometric/identity data, as I believe your interests do not override my fundamental right to privacy.

3. My Formal Request

• If you have already processed or stored my ID information, I demand its immediate deletion under Article 17 (Right to Erasure).

• [其他诉求]

4. Next Steps

Please acknowledge receipt of this request within one month as mandated by the UK GDPR. Should you fail to provide a satisfactory resolution or continue to restrict my account access based on this non-compliant requirement, I will escalate this matter to the Information Commissioner’s Office (ICO) and seek further legal remedies under Section 167 of the Data Protection Act 2018.

Regards,

[你的名字] [日期]

如果在一个月内没有解决，可以 escalate 到所在区域的数据监管部门：

• EEA: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• 英国: https://ico.org.uk/global/contact-us/
• 瑞士: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

其他

顺便一提，作为位于 GDPR 管辖区域内的用户，即使你不是和小红书签约的“创作者”，也可以合法行使权益，要求导出结构化的用户数据，包括但不限于发布内容（帖子和评论）、搜索、点赞和浏览历史。

Footnotes

1. 不要指望中国境内主体的互联网公司有任何合规观念。参考调包下载链接为推广内容？揭露迅雷的下载调包行为和对拼多多app利用0day漏洞控制用户手机及窃取数据的分析，含分析指引。 ↩