Letter to Commission on Xiaomi smartphones security concerns

Dear President von der Leyen,
dear Commissioner Breton,

We, the undersigned Members of the European Parliament, would like to express concerns about mobile phones distributed by the Beijing based company Xiaomi. Founded in 2010, the company is currently the world’s second largest manufacturer of smartphones. In the European market, it ranks second only after Samsung.

In September 2021, the National Cyber Security Centre under the Lithuanian Ministry of National Defence published a report on the cyber security of 5G smartphones produced by Chinese smartphone manufacturers Huawei, Xiaomi and OnePlus. The report found serious security vulnerabilities in the Xiaomi smartphone under investigation in relation to built-in software applications that affect personal data protection and freedom of speech.

According to the report, the smartphone model under investigation may be collecting an excessive amount of user data and transmitting it in encrypted form to a third country not covered by the EU’s General Data Protection Regulation (GDPR). The data is also stored in that third country. In addition, the report points out that the smartphone’s software is able to recognise and censor certain terms, based on a list of keywords banned in China that is regularly updated. Banned terms include “Free Tibet”, “89 Democracy Movement” or “The Voice of America”. This censorship function is apparently deactivated on mobile phones intended for the European market, but can be activated remotely.

In early January 2022, the Taiwanese National Communications Commission (NCC), a Taiwanese government agency, verified the findings of the Lithuanian report. The NCC found several built-in programmes that could potentially hinder the smartphone’s access to websites with content considered politically sensitive in China.

Despite public statements by Xiaomi attempting to downplay the security risks, it is important to highlight that China’s 2017 National Intelligence Law requires Chinese technology companies and citizens to cooperate with Chinese intelligence agencies upon request. Thus, there is always the possibility that a large amount of data collected by Xiaomi in Europe will be passed on to Chinese intelligence services, thereby violating the data privacy and security of European citizens.

It is against this background that we would like to address this issue and raise several questions:

Firstly, are you aware of these reports and the security implications for European users of Xiaomi smartphones?

Secondly, have you tried to verify these findings or launched an independent security investigation at EU level? If not, will you consider doing so?

Thirdly, how can you guarantee that Xiaomi or other Chinese smartphone manufacturers operating in Europe comply with GDPR principles and do not censor content through built-in software?

We look forward to your reply.

With kind regards,

Reinhard Bütikofer, Greens/EFA (Germany)
Andrius Kubilius, EPP (Lithuania)
Bert-Jan Ruissen, ECR (Netherlands)
Salima Yenbou, Greens/EFA (France)
Ignazio Corrao, Greens/EFA (Italy)
Rasa Juknevičienė, EPP (Lithuania)
Rasmus Andresen, Greens/EFA (Germany)
Carlo Fidanza, ECR (Italy)
Anna Fotyga, ECR (Poland)
Karsten Lucke, S&D (Germany)
Hermann Tertsch, ECR (Spain)
Petras Austrevicius, Renew (Lithuania)
Bart Groothuis, Renew (Netherlands)
Evelyne Gebhardt, S&D (Germany)
Tineke Strik, Greens/EFA (Netherlands)
Michael Bloss, Greens/EFA (Germany)
Ivan Štefanec, EPP (Slovakia)
Engin Eroglu, Renew (Germany)
Assita Kanko, ECR (Belgium)
Miriam Lexmann, EPP (Slovakia)
Michal Šimečka, Renew (Slovakia)
Rosa D´Amato, Greens/EFA (Italy)
Hannah Neumann, Greens/EFA (Germany)
Jakop Dalunde, Greens/EFA (Sweden)
Anna Cavazzini, Greens/EFA (Germany)
Vlad Gheorghe, Renew (Romania)
Raphael Glucksmann, S&D (France)
Patrick Breyer, Greens/EFA (Germany)
Mikulas Peksa, Greens/EFA (Czechia)
Hilde Vautmans, Renew (Belgium)