The Straits Times reported on 14 August that Singapore’s Personal Data Protection Commission (the “Commission”) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act 2012 (“PDPA”). This is believed to be the first investigation under the main PDPA rules unrelated to the Do Not Call registry which came into force on 2 July 2014. This investigation will be followed with interest as it may set the tone for how strictly the new privacy legislation will be enforced.
About the PDPA
The PDPA was introduced in phases during the first half of 2014 and is the first privacy specific legislation to be introduced in Singapore. The Do Not Call provisions, which are intended to protect individuals from direct marketing, came into force on 2 January 2014 and the remaining provisions on 2 July. The PDPA aims to implement measures which provide transparency for individuals about how their personal data is used by organisations. It also introduces potential fines for breaches of up to S$1 million per breach.
At a high level, the PDPA sets out a number of key obligations with which organisations must comply:
Notification - must notify individuals prior to collection of the purposes for which they intend to collect, use or disclose the individual's personal data;
Purpose - may only collect, use or disclose personal data about an individual for reasonable purposes in the circumstances or those that have been notified to the individual;
Consent - may only collect, use or disclose the personal data of an individual if consent has been obtained from that individual (subject to certain exclusions);
Access & Correction - individuals must be able to access and correct their personal data upon request to the organisation;
Accuracy, Protection and Retention - must take care of personal data, ensuring that it is:
accurate and complete (if it is likely to be (i) used to make a decision or (ii) disclosed to another organisation);
kept secure; and
only retained while there is a valid purpose or business or legal reason for doing so;
Transfer limitation – organisations must not transfer personal data to a country or territory outside Singapore except where it can ensure that a comparable standard of protection, as provided for under the PDPA, will be maintained over any personal data that is transferred; and
Openness (Compliance and Governance) - organisations are expected to have policies and practices in place to ensure compliance with the PDPA and appoint a single contact (the Data Protection Officer) to manage all privacy related issues for the organisation.
Three Do Not Call Registers and associated provisions to control the sending of marketing messages to Singapore telephone numbers were also established by the PDPA and have been in force since January. These provisions introduce fines of up to S$10,000 per marketing message sent in breach of the provisions. These have been strictly and publicly enforced since coming into effect and the Commission stated in a press release on 23 May 2014 that “investigations have been made in response to 3,700 valid complaints from members of the public against 630 organisations since the DNC provisions took effect on 2 January 2014.”
The Complaint Against Xiaomi
Xiaomi is one of the top selling (some argue the top selling) smartphone brand in China, which is the world’s biggest smartphone market. Like many other smartphone brands, Xiaomi has a cloud messaging service (comparable services include Blackberry Messenger and Apple’s iMessage) that allows users to send messages over the internet to avoid potentially costly SMS or text messaging charges.
On 7 August F-Secure, a Finnish security firm, published the results of their test of a Xiaomi RedMi 1S phone and concluded that on start up the phone automatically sent certain personal data, including information from the user’s phone book, to an external server. Xiaomi Vice President Hugo Barra recently responded to this report stating that the transmitted data was part of Xiaomi's Cloud Messaging service, which can send messages via SMS and over the Internet but that Xiaomi does not store user personal data. Mr Barra has subsequently apologised to users and Xiaomi has introduced an update which makes the cloud messaging service an “opt-in” service (in much the same way as WhatsApp and WeChat) requiring user consent to the terms and the way in which personal data is collected, used and disclosed.
A user has filed a complaint with the Commission alleging that Xiaomi had disclosed his personal data without his consent when he used his phone in Singapore and as a result he was receiving unsolicited calls from overseas numbers.
It is not unusual for smartphones and their applications to track users’ personal data in order to provide messaging services, but most specifically obtain “opt in” consent from users before doing so. The key difference with the Xiaomi situation is that the user is alleging that the phone automatically sent personal data to servers without explaining this to users or obtaining consent for such disclosure.
If the allegations are found to be correct then Xiaomi may have fallen foul of the disclosure obligations under the PDPA by disclosing personal user data to the servers without obtaining valid prior consent from users. In addition, depending on the location of the servers, it is possible that the Commission will consider whether there was a breach of the data transfer obligations, i.e. that personal data had been transferred to jurisdictions outside Singapore without ensuring that it was protected to an equivalent standard as under the PDPA.
It is important to remember that the PDPA has only very recently been implemented in Singapore and companies (and the Commission) are still getting to grips with how it operates in practice. It is possible that this, combined with the quick action taken by Xiaomi to resolve any potential data privacy concerns raised by users, may result in a more lenient stance from the Commission.
It is too early to know how the Commission will conduct its investigation and what the potential outcome may be. But incidents such as this serve as important reminders to companies operating and expanding internationally to be mindful of local data protection and privacy regulations, and the conduct of the investigation and its outcome will be instructive in understanding the teeth behind Singapore’s new data privacy regime.