wordpress blog stats
Connect with us

Hi, what are you looking for?

Xiaomi exports personal data of Indian users to foreign third parties: Report


Deccan Chronicle reports, based on Chinese mobile phone maker Xiaomi’s privacy policy, that the company transfers personal data of Indian users to third-party service providers outside the users’ jurisdiction. The privacy policy is quoted thus: “As such complying with applicable laws, we may transfer your personal data to any subsidiary of the Xiaomi group worldwide when processing that information for the purpose described in this privacy policy. We may also transfer your personal data to our third-party service providers, who may be located in a country or area outside the area of the European Economic Area (EEA)”. Xiaomi is the leading mobile phone maker in India, with a 27% market share in the fourth quarter of 2018, as per News18.

The report also says that MEITY in a response to an RTI query, said that it did not have any information about personal data transferred outside India’s jurisdiction and that the matter was of no concern to it. This is surprising, considering both the draft Personal Data Protection Bill 2018 and the draft national eCommerce policy have data localisation rules that address the flow of data outside India’s borders. While the DP Bill requires companies to store a copy of all personal data within India, the data storage requirements in the eCommerce policy are even more stringent. They severely limit the freedom of businesses to transfer or share sensitive data that is processed in India once it is outside the country, regardless of customer consent. In effect, they necessitate the setting up of data centres in India to minimise the need to store sensitive data abroad.

What the draft data protection bill says

Section 40, Restrictions on Cross-Border Transfer of Personal Data states:

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

Advertisement. Scroll to continue reading.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

(From the Personal Data Protection Bill, 2018; emphasis ours)

What the draft eCommerce policy says

In February the Department for Promotion of Industry and Internal Trade released India’s Draft eCommerce Policy, which addressed data localisation among many other issues. Read our comments to DPIIT on the policy here, and our summary of the policy here. Below is what it said about cross border dat flow:

“A business entity that collects or processes any sensitive data in India and stores it abroad, shall be required to adhere to the following conditions:

  • All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent
  • All such data stored abroad shall not be made available to a third party, for any purpose, even if the customer consents to it
  • All such data stored abroad shall not be made available to a foreign government without the prior permission of Indian authorities
  • A request from Indian authorities to have access to all such data stored abroad shall be complied with immediately
  • Any violation of these conditions shall face the prescribed consequences (to be formulated by the Government).”

“Restrictions on cross-border flows of data shall not apply to the following:

  • Data that is not collected in India
  • B2B data sent to India as part of a commercial contract between an Indian business entity and a business entity located outside India
  • Software and cloud computing services involving technology-related data flows, which have no personal or community implications
  • MNCs moving data across borders… internal to the company and its ecosystem, and does not contain data that has been generated by users in India from various sources, including eCommerce platforms, social media activities, search engines etc.”

We have reached out to Xiaomi for comment. The post will be updated with their response.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ