Dutch Bike-Share Programs Run by Chinese Tech Firm Transfer User Data to China

December 20, 2018 Updated: December 25, 2018

As global concerns mount about security risks involved with Chinese tech companies, two Dutch cities have discovered that user data from their bicycle-sharing programs—operated by a Chinese firm—is being transferred to China and Singapore.

Mobike, based in Beijing, is the world’s largest for-hire, dockless bike-share operator. Mobike has a presence in the Netherlands, known throughout Europe for its bike-friendly reputation. The Chinese firm operates the silver-and-orange Mobikes found throughout Rotterdam and Delft.

However, a Dec. 12 report by Dutch online news site, Nu.nl, indicates that the Mobike app has been violating new European Union privacy laws through its collection and transfer of data.

The system works by relying on the Mobike app: First, a user scans a QR code on the bike to unlock and use it. Then, a user pays for the ride using mobile payment technology: The company prides itself on being cash-free.

While in the United States, it’s quite common for mobile apps to ask for permission to share one’s GPS location or phone number (often to verify one’s identity), the EU’s General Data Protection Regulation (GDPR)—which went into effect in May across all EU member nations—requires that users be more properly informed before sharing such information.

A look at Mobike’s privacy policy, which can be accessed when viewing the app on Apple’s and Android’s app store, reveals that user data can be collected and transferred to “a destination outside the European Economic Area (‘EEA’), such as China and Singapore.”

“The European Commission has not made an adequacy decision in respect of China or Singapore so any such transfer will be based on your consent to such transfer,” the privacy policy reads.

Most mobile users wouldn’t readily see the privacy policy, however, which appears in the lower part of the app’s homepage only after scrolling down. Users aren’t prompted immediately with the privacy policy upon downloading the app.

A data-protection expert quoted in the Nu.nl article said that means Mobike is violating the new GDPR rules.

“They can choose not to create an account, but after installation, their location is already collected and processed before they can freely consent and know what happens to the data,” said Zhao Bo, an expert on cross-border data protection at Tilburg University in Holland.

Mobike spokesperson Steve Milton said the company is indeed in compliance with the new EU rules. “Our approach is similar to that of other companies active in this sector,” he told Nu.nl.

But Zhao said other transportation-related apps in the Dutch market don’t have such parameters, such as apps developed by Nederlandse Spoorwegen, the privately owned national railway system; and Algemene Nederlandse Wielrijdersbond, the country’s largest nonprofit travelers association. The latter’s app provides traffic and parking information.

Because Mobike users have little control over what happens to their data, that means “they have no means [of knowing] if these data are being misused in China or sold outside of China,” Zhao said.

Government officials and intelligence experts throughout Western countries have recently spoken about the risk for espionage and back-door access when using China-manufactured tech products.

Follow Annie on Twitter: @annieeenyc