China-based smartphone maker Xiaomi has slid into legal hot water in Singapore, amid growing regional concerns about its apparent lack of privacy protection.
A complaint has been filed by a phone user here, alleging that his personal data had been disclosed without consent.
He claimed he had received unsolicited calls from overseas after using his Xiaomi phone.
Singapore's privacy watchdog, the Personal Data Protection Commission, told The Straits Times it is investigating.
The charge followed an online report in Taiwan late last month that Xiaomi was silently collecting and storing user phone numbers and other device identifiers on the company's servers.
Finnish security specialist F-Secure confirmed the rumours after conducting its own independent test on a brand new RedMi 1S handset.
In a blog post last Thursday, F-Secure said it discovered that the telco name, phone identifier and phone number of the user were all sent to a server named api.account.xiaomi.com
The phone numbers of contacts added to the phone book and from SMS messages received were also sent to the server.
Such moves might run afoul of laws here, said lawyers.
Lawyer Rajesh Sreenivasan, a partner at Rajah & Tann, said some phone apps do collect personal data. "The difference is that users have the option to say 'yes' or 'no' to such collection."
In Singapore, the Personal Data Protection Act provides safeguards against the wrongful collection, use and disclosure of personal data for marketing.
It requires organisations to inform individuals of the purpose for collecting, using and disclosing personal data. They must also get a consumer's explicit consent before they can disclose personal information to a third party.
Xiaomi has been gaining popularity since it started selling phones here early this year.
According to estimates from market research firm IDC, Xiaomi phones accounted for 10 per cent to 20 per cent of all the smartphones shipped here in the second quarter of the year.
On a Google+ Web post on Sunday, Xiaomi vice-president of international operations Hugo Barra wrote a lengthy explanation. He acknowledged data was uploaded but "not kept for longer than necessary". It was needed for its cloud messaging service, which routes messages between two users over the Internet.
The firm also said it would no longer automatically activate phone users for cloud messaging.
A handset software update it rolled out on Sunday now makes cloud messaging an opt-in service - much like chat services WhatsApp and WeChat.