[Exclusive] 'The Second Roborock' TCL... "Your Data Shared Worldwide" [China Home Appliance Security Warning] ①

TCL's TV product, Photo by TCL

It has been confirmed that Chinese company TCL, which manufactures smart TVs and refrigerators for domestic sales, states in its privacy policy that it can transfer personal information to any country worldwide without customer consent. Previously, Chinese robot vacuum company Roborock sparked controversy by stating it could collect and use personal information without customer consent, but TCL went further by allowing transfers anywhere in the world and subjecting data to foreign laws. In particular, it is difficult to understand TCL’s organizational structure in Korea, raising concerns that there will be limitations in responding if privacy issues arise.

On the 7th, Asia Economy conducted a full survey of the privacy policies of nine Chinese home appliance and electronic device companies that have entered the Korean market, including TCL, Hisense, Xiaomi, Hikvision, Dahua, Uniview, Roborock, Ecovacs, and Dreame. It was found that besides Roborock, TCL and Dahua also have the possibility of providing personal information to affiliates and third parties without customer consent.

TCL’s privacy policy allows the disclosure of personal information to affiliates, subsidiaries, and third parties without separate consent under certain conditions such as ▲ assisting in providing company materials, ▲ selling company products and services, ▲ compliance with laws, or ▲ processing personal information according to privacy protection guidelines.

The particularly problematic clause is the section on 'overseas transfer of personal information.' TCL states that it can transfer information to companies located in other countries for personal information management. It explicitly mentions that "you may be subject to laws other than those enforced in your country (other countries)."

Previously, Chinese company Roborock caused controversy by stating it could collect and use personal information without customer consent within the scope permitted by the data protection laws of the respective country. Later, Roborock issued a statement clarifying that it "strictly complies with Korean laws and regulations" and subsequently revised its guidelines on its website.

TCL has gone a step further than Roborock by opening the possibility of overseas transfer of personal information and the application of foreign laws. The press attempted to contact TCL Korea several times to hear their position but was unable to reach them.

An official from the Personal Information Protection Commission explained, "It is highly likely that customer consent was obtained when initially signing up for the service, and even if consent was not obtained, there is a legal basis to collect information when necessary to comply with legal obligations." They added, "Sometimes companies inevitably need to use information to implement services."

However, experts have diagnosed that there is a risk of information leakage. Professor Park Chunsik of the Department of Information Security at Seoul Women’s University said, "Products from other Chinese companies, including DeepSeaK, also have the potential for information leakage according to their privacy policies." He added, "Since laws differ by country for overseas companies, it is possible they may not consider domestic laws." Regarding overseas transfer guidelines, he stated, "Global companies allow information to be sent to their headquarters, so this needs to be examined more closely."

TCL is rapidly increasing its market share in the global TV market alongside Hisense and Xiaomi. According to market research firm Omdia, last year, the combined market share of three Chinese companies (TCL, Hisense, Xiaomi) in the large-sized TV segment was 31.3%, surpassing the combined market share of Samsung Electronics and LG Electronics (28.4%) for the first time. As Chinese companies narrow the technological gap and market share with Korean companies, the importance of security is increasingly emphasized.

Capture of 'Privacy Policy' posted on TCL Global homepage, capture of TCL Global homepage

The product range of companies that may share personal information according to their privacy policies extends beyond smart TVs to include refrigerators with Internet of Things (IoT) functions, robot vacuum cleaners, and CCTV cameras.

Chinese CCTV company Dahua also stipulates that customer personal information can be transferred and stored on its servers located in other countries. It specifies that information may be transferred to other countries, and the laws and protection levels applied may vary depending on the country.

Dahua allows sharing personal information with third parties only with the explicit consent of customers. However, for "certain trusted third parties (subsidiaries and affiliates)," information can be shared without customer consent.

Among the nine companies surveyed, five (excluding Xiaomi, Dahua, and Ecovacs) did not clearly specify the third-party service providers to whom customer information is transferred. Roborock recently added a detailed list of providers on its website after updating its policy.

Most companies had separate servers to store and manage personal information. Especially for global IoT companies and startups expanding worldwide, it is common to use other companies’ cloud servers to store personal information by country.

Xiaomi stores personal information of Korean users in a data center located in Singapore. Dahua also states that it stores data on servers located in China, the United States, Germany, Singapore, and other locations.

The problem is that in this process, there is concern that Chinese companies may transfer customers’ personal information to their headquarters in China or to third-party companies. Some companies move servers overseas instead of China to alleviate concerns, but the possibility remains that information can still be transferred to headquarters and affiliates, potentially moving personal information to the Chinese headquarters.

Professor Yeom Heung-yeol, emeritus professor of the Department of Information Security at Soonchunhyang University, explained, "Under domestic law, if a personal information handler is involved, affiliates are considered separate legal entities from the headquarters." He added, "If the companies are different, the privacy policy must clearly state this." Regarding overseas transfer regulations, he emphasized, "If services are provided using Korean customers’ personal information, Korean law must naturally be followed."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.