As global concerns mount about security risks involved with Chinese tech companies, two Dutch cities have discovered that user data from their bicycle-sharing programs—operated by a Chinese firm—is being transferred to China and Singapore.
Mobike, based in Beijing, is the world’s largest for-hire, dockless bike-share operator. Mobike has a presence in the Netherlands, known throughout Europe for its bike-friendly reputation. The Chinese firm operates the silver-and-orange Mobikes found throughout Rotterdam and Delft.
The system works by relying on the Mobike app: First, a user scans a QR code on the bike to unlock and use it. Then, a user pays for the ride using mobile payment technology: The company prides itself on being cash-free.
While in the United States, it’s quite common for mobile apps to ask for permission to share one’s GPS location or phone number (often to verify one’s identity), the EU’s General Data Protection Regulation (GDPR)—which went into effect in May across all EU member nations—requires that users be more properly informed before sharing such information.
A data-protection expert quoted in the Nu.nl article said that means Mobike is violating the new GDPR rules.
“They can choose not to create an account, but after installation, their location is already collected and processed before they can freely consent and know what happens to the data,” said Zhao Bo, an expert on cross-border data protection at Tilburg University in Holland.
Mobike spokesperson Steve Milton said the company is indeed in compliance with the new EU rules. “Our approach is similar to that of other companies active in this sector,” he told Nu.nl.
But Zhao said other transportation-related apps in the Dutch market don’t have such parameters, such as apps developed by Nederlandse Spoorwegen, the privately owned national railway system; and Algemene Nederlandse Wielrijdersbond, the country’s largest nonprofit travelers association. The latter’s app provides traffic and parking information.
Because Mobike users have little control over what happens to their data, that means “they have no means [of knowing] if these data are being misused in China or sold outside of China,” Zhao said.