Xiaomi sends users’ personal data beyond India’s jurisdiction

Xiaomi says data can also be transferred to 3rd parties; government cites ignorance.

Hyderabad: Xiaomi, a mobile phone manufacturing company having its headquarters in China, has said on record in their privacy policy that the company transfers personal data outside the ‘user’s jurisdiction’. This means their Indian users’ personal data is being transferred outside the country’s jurisdiction.

In its privacy guidelines, Xiaomi says, “As such complying with applicable laws, we may transfer your (users) personal data to any subsidiary of the Xiaomi group worldwide when processing that information for the purpose described in this privacy policy. We may also transfer your personal data to our third party service providers, who may be located in a country or area outside the area of the European Economic Area (EEA)”.

It is worth noting that the Indian Ministry of Electronic and Information Technology that deals with cyber law and E-security of citizens has no information on personal data transferred outside Indian jurisdiction.

In a Right to Information reply dated April 22, 2019, the ministry said it does not have records and the matter was of no concern to it.

Robin Zaccheus, who filed the RTI, explains the sequence of events that led him to seek information from the ministry: “The son of CRPF martyred soldier Pradeep Kumar, Siddharth Kumar, shared that minutes before the Pulwama attack he spoke to his father over the phone while he was moving from Jammu to Srinagar in a CRPF convoy and his last words were that he was heading to Srinagar base camp and would reach in an hour or so. The rest is known to all.

“This triggered a question in my mind in the quest to understand the possibilities of where we (mobile phone users) could have gone wrong from security and privacy perspective of the soldier’s movements”.

Mr Zaccheus says he knew that Google and some Chinese mobile manufacturing companies in India are transferring the data out of the country’s jurisdiction and nobody is looking at this critically. “The information like Web and APP Activity, Track Location History, Record Voice and Audio Activity and Tracking of YouTube search history is by default in the Google app,” he says.

Aneesh Sharma, an independent security researcher, says there will always be the “threat of data misuse and also being targets for advertising companies. Countless users receive emails and texts from companies they have never given personal information to and we wonder how they are able to contact us. It is because users’ personal data is being shared or sold globally. Users are advised to read the privacy policies of mobile manufacturers.”

Next Story