[China Home Appliance Security Alert]③ "US and Europe Mandate Manufacturer Personal Data Certification... Korea Recommends"

As demands for personal information protection increase, there are calls for stricter national-level certification management. This is because relying solely on companies' voluntary improvements has limitations in preventing security threats such as personal information leaks or hacking. Recently, controversies over the privacy policies of overseas manufacturers like China's Roborock and TCL have raised concerns that a consumer protection system based on corporate autonomy is insufficient.

The personal information protection certification system does not merely evaluate defenses against external attacks like hacking but comprehensively assesses whether a company's entire personal information processing process operates in accordance with legal standards and personal information protection principles. In other words, it checks whether the procedures for collecting, using, providing, and transferring personal information overseas are lawful and whether the privacy policies meet domestic legal requirements. Since companies manufacturing global Internet of Things (IoT) devices may arbitrarily set privacy policies or transfer personal information abroad without consumer consent, major countries such as the United States and the European Union (EU) strictly mandate such certifications at the national level.

The U.S. Federal Communications Commission has implemented the 'Cyber Trust Mark' system this year for smart devices sold within the United States, comprehensively evaluating whether companies meet the personal information protection and security standards set by the U.S. government. From 2027 onwards, an executive order is being pursued to allow only certified products to be purchased by the federal government.

The EU has established even stronger standards. Through the 'Cyber Resilience Act (CRA)' approved last year, the EU mandates national evaluation of the entire personal information management of all digital products sold and distributed in Europe. Companies that fail to comply face hefty fines of up to 2.5% of their global revenue or 15 million euros (approximately 2.1 billion KRW).

On the other hand, although the Korean government operates a state-led information protection certification system, it is criticized for its low effectiveness because it is not mandatory for companies. Currently, the 'Information Security Management System-Personal Information Protection (ISMS-P)' jointly operated by the Ministry of Science and ICT and the Personal Information Protection Commission comprehensively evaluates whether companies processing personal information comply with legal standards not only against external hacking risks but also in internal procedures such as collection, use, provision, and transfer of personal information.

In addition, there are IoT security certifications and Privacy by Design (PbD) certifications, but since companies can choose these voluntarily, their effectiveness is considered limited. In fact, last year, Samsung Electronics' 'Bespoke AI Steam' robot vacuum cleaner was the only product to receive both IoT security certification and PbD certification, while the vast majority of other companies did not obtain certifications.

An industry insider said, "Using the national certification system requires going through complicated procedures and paying certain costs," adding, "Although the Korean government introduced various certification systems long ago, even amid growing security concerns about Chinese robot vacuum manufacturers and suspicions about the transfer of personal information to China, there has been no active move to mandate certifications or investigate these suspicions." He continued, "The Korean government needs to actively expand the application of certifications to protect consumers."

In response, a representative from the Personal Information Protection Commission explained, "Companies may bear financial burdens and need to make significant investments to obtain certifications, so it is not easy for the government to enforce regulations forcibly."

Professor Park Chunsik of the Department of Information Security at Seoul Women's University advised, "The content of information protection policies varies by country and company, and especially in the case of Chinese companies, there may be concerns about information security based on guidelines. The Korean government needs to more strictly manage and supervise not only domestic companies but also global companies regarding personal information protection."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.