September 4, 2022
Ben Packham
The Australian
Sunday 4 September 2022
China's biggest ride sharing company, DiDi, has been referred to the Australian information commissioner amid concerns over the security of its Australian users' data.
Opposition cyber security spokesman James Paterson urged the commissioner to investigate the company's compliance with Australian privacy obligations.
DiDi says its Australian users' information is "only stored and accessed outside China", despite a warning in its privacy policy that it can be shared with entities inside the authoritarian country.
The calls on DiDi came as the Department of Home Affairs said it will investigate data harvesting by social media giant TikTok amid growing privacy concerns over the Chinese-owned app.
Home Affairs Minister Clare O'Neil will receive advice on a "range of options" on how to deal with TikTok and data harvesting, but has ruled out banning it completely.
Senator Paterson said Australian users of the service, which has been fined $1.7bn for contravening Chinese personal information laws, deserved to know their data was safe.
"I remain deeply concerned about the safety and security of Australian user data given the scale of the breaches uncovered earlier this year by Chinese authorities," he said in a letter to the information commissioner.
"I would urge you to exercise your powers ... to consider commencing an investigation into the entity's privacy practices."
DiDi's Australian head of government operations Maria Silos said in a letter to Senator Paterson the company was compliant with all local laws and data privacy principles.
"We have clear access control and strict governance procedures related to data privacy to ensure strict data compliance," she said. "The personal information of DiDi uses in Australia is only stored and accessed outside China."
But the company's privacy policy warns DiDi may disclose its customers' personal information to "other companies within the DiDi group, business partners and service providers or vendors we engage".
"These entities may be located and operate overseas including mainland China and Hong Kong, Singapore, Brazil, the Philippines, Ireland and the United States of America," the policy states.
In July, China's cyberspace regulator found DiDi had illegally collected 12 million pieces of "screenshot information" from users' mobile photo albums, and excessively accumulated 107 million pieces of family relationship information.
Senator Paterson said serious questions remained unanswered about the safety of Australian users' data.
"It's imperative that the government gets to the bottom of DiDi's privacy practices would not only impact Australian users' privacy but could also have significant national security implications," he said.
DiDi shareholders voted to delist from the New York Stock Exchange in May, to allow the firm to complete a cyber security review ordered by Beijing.
