[Security Alert Sound from Chinese Home Appliances]② Repeated Security Controversies of Chinese Companies... Cybersecurity Committee's Response is 'Too Late'

In recent years, incidents of personal information leaks and hacking have repeatedly occurred in internet-based products such as surveillance cameras and robot vacuum cleaners manufactured by Chinese companies, but the government's response has been passive. Consumers have had to bear the damage themselves as proper compensation or corporate punishment has not been carried out even after personal information leak incidents. This has been widely criticized as a result of the low penalty levels and institutional shortcomings of the Personal Information Protection Commission (PIPC). Consequently, concerns are growing that second and third companies like Roborock and TCL may continue to emerge.

Similar problems were repeated in last year's AliExpress case. It was revealed that AliExpress had provided the personal information of domestic consumers to about 180,000 overseas sellers without permission, but it avoided legal responsibility simply because it was an intermediary platform. The fines of 1.978 billion KRW and penalties of 7.8 million KRW imposed by the government were far from sufficient for compensation, and the affected consumers received no compensation at all. This is due to the current legal system requiring consumers to prove the damage themselves, which is pointed out as a factor making consumer damage relief difficult.

Other personal information leak incidents that occurred in Korea in the past ended similarly. Homeplus sold about 24 million customer personal information records to insurance companies from 2011 to 2014, leading consumers to file a class-action lawsuit, but the Supreme Court ruled that consumers must prove the damage themselves. As a result, only a very small number of victims received small compensation rulings, and most victims were not protected.

Compared to major foreign countries, the level of consumer protection and the severity of corporate punishment in Korea are considerably low. The European Union's (EU) General Data Protection Regulation (GDPR) imposes fines of up to over 1 trillion KRW for violations and enforces substantial compensation to victims. In fact, Ireland imposed a fine of 1.2 billion euros (about 1.7 trillion KRW) on Meta for transferring the personal information of EU member state citizens to its U.S. headquarters servers and ordered immediate action. The United States and Japan have also paid tens of billions of KRW in compensation to victims of personal information leaks.

The Korean government has the Personal Information Protection Commission under the Prime Minister's office. Recently, it emphasized the importance of information protection by imposing hundreds of millions of KRW in fines on global companies such as Meta and Kakao, but there are many criticisms that relief for affected consumers and punishment of responsible parties remain insufficient. The PIPC has also been criticized for its ineffectiveness as it only begins inspections after incidents occur. The PIPC is currently conducting a status check on the personal information processing of robot vacuum cleaner manufacturers such as Roborock, which have recently been involved in security controversies, and plans to convert it into a formal investigation if legal violations are confirmed. However, this measure is also criticized as a 'belated response.'

The National Assembly recently passed an amendment to the Personal Information Protection Act in the Political Affairs Committee. The amendment includes strengthening consumer protection by requiring overseas companies to designate domestic agents and shifting the burden of proof for personal information leak damages to companies. However, since companies can still transfer personal information to overseas headquarters to evade domestic laws, it is continuously pointed out that an active role and institutional strengthening of the PIPC are essential to fundamentally solve the problem.

Professor Kim Seung-joo of Korea University's Graduate School of Information Security said, "The Personal Information Protection Commission is currently conducting investigations and imposing fines, but is it effective?" He added, "A system should be established only when all elements are met, such as how to ensure the effectiveness of personal information management, which institution conducts evaluation and certification, and how to enforce overseas companies."

Goh Hak-su, Chairperson of the Personal Information Protection Commission, Photo by Yonhap News

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.