Singapore

Singapore’s Personal Data Protection Commission (the Commission) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act of 2012 (PDPA). As this is belived to be the first major investigation regarding this act since the introduction of the main data protection rules on 2 July 2014, it may set the tone for how strictly the new privacy legislation will be enforced.

The PDPA was introduced in phases during the first half of 2014 and is the first privacy specific legislation to be introduced in Singapore. The aim of the act is to implement measures which provide transparency for individuals about how their personal data is used by organisations as well as strict penalties for companies found to breach the rules.

Xiaomi, one of the top selling smartphone brands in China, has a cloud messaging service that allows users to send messages over the Internet to avoid text messaging charges. A recent test, the results of which were published on 7 August 2014, concluded that on start-up, the phone automatically sends certain personal data, including information from the user’s phone book, to an external server.

Xiaomi Vice President Hugo Barra recently responded to this report stating that the transmitted data was part of Xiaomi’s Cloud Messaging service, which can send messages via SMS and over the Internet, but that Xiaomi does not store user personal data. Mr Barra has subsequently apologised to users and Xiaomi has introduced an update which makes the cloud messaging service optional, and requires that users consent to the terms and the way in which personal data is collected, used and disclosed.

One user has filed a complaint with the Commission alleging that Xiaomi had disclosed his personal data without his consent when he used his phone in Singapore, and as a result, was receiving unsolicited calls from overseas numbers.

It is not unusual for smartphones and their applications to track users’ personal data in order to provide messaging services, but most specifically obtain consent from users before doing so. The key difference with the Xiaomi situation is that the user is alleging that the phone automatically sent personal data to servers without explaining this to users or obtaining consent.

If the allegations are found to be correct, Xiaomi may have fallen foul of the disclosure obligations under the PDPA by disclosing personal data without valid prior consent. In addition, it is possible that there was a breach of the PDPA’s data transfer obligations, meaning that personal data had been transferred to jurisdictions outside of Singapore without ensuring that it was protected to the PDPA’s standards.

Luke Grubb, partner at Latham & Watkins stated “It is important to remember that the PDPA has only very recently been implemented in Singapore and companies (and the Commission) are still getting to grips with how it operates in practice. It is possible that this…may result in a more lenient stance from the Commission.” Mr Grubb went on to say “It is too early to know how the Commission will conduct its investigation and what the potential outcome may be. But incidents such as this serve as important reminders to companies operating and expanding internationally to be mindful of local data protection and privacy regulations.”

Latest Updates
Related Articles
Related Articles by Jurisdiction
Latest Articles