Hello. I am Attorney Shin Jun-sun from the law firm Cheongchul.

Recently, as the market share of smart devices such as Chinese electric vehicles and robot vacuum cleaners has increased in Korea, legal issues regarding the processing of personal information collected by these products and its transfer abroad have come to the forefront. In particular, following the personal information leak controversy involving the Chinese AI company DeepSeek, the compliance of Chinese smart products with personal information protection laws has come under scrutiny, and the Personal Information Protection Commission has initiated an investigation considering the seriousness of such breaches.

In this blog, I aim to analyze the current status of personal information processing by smart devices and related legal issues based on recent cases, as well as practical response measures to protect users' rights to self-determination concerning their personal information.

[Question] Use of smart products, what is the state of personal information leaks?

[Answer]

1.     Recent cases of personal information leak issues

Recently, controversies related to the processing of personal information have emerged from various fields of smart devices. Here are some notable cases:

(1)   Information leak case of DeepSeek

The Chinese AI company DeepSeek became embroiled in controversy as voice data collected from its AI devices was leaked externally for internal testing purposes. The Personal Information Protection Commission confirmed that DeepSeek transferred Korean users' personal information to its Chinese parent company, ByteDance, and took measures to block new downloads. This case may violate Article 17 and Article 39-12 of the Personal Information Protection Act, as it involved the transfer abroad without the explicit consent of the data subjects.

(2)   Data collection by electric vehicles such as BYD

The Chinese electric vehicle manufacturer BYD collects a vast amount of personal information, including data from internal and external vehicle cameras, location information, and driving data. According to BYD Korea, this information is stored on Tencent's cloud servers in China. Although the company claims that "personal information is only stored on its own servers and is not shared with its headquarters in China," it raises several legal issues.

• Lack of adequate procedures to obtain specific consent from data subjects for the transfer of personal information abroad

• Potential conflict between domestic personal information protection laws and China's data security laws (principle of storage within China)

• Possible deviation from the purpose due to the vast collection of personal information

(3)   Personal information processing by robot vacuum cleaners

Prominent Chinese robot vacuum cleaners like Roborock and Xiaomi have become increasingly popular due to advancements in their technology. To achieve this functionality, these products collect video data from inside homes for indoor mapping and obstacle recognition, and some products also process users' voice information through voice recognition features. Issues have been identified during the transfer of such information to the companies' cloud servers.

• The collection items, usage purposes, and retention periods in the privacy policy are not clearly specified

• Lack of specific information regarding third-party provision and transfer abroad

• Conditions that effectively compel consent by restricting access to specific app services in case of non-consent

2.     Key issues under domestic Personal Information Protection Act

Regarding the collection and use of personal information of domestic consumers by Chinese smart device manufacturers, the following issues arise under domestic personal information protection laws.

• Article 17 of the Personal Information Protection Act (Provision of personal information): Prohibition of third-party provision without consent from the data subject

• Article 28-8 (Transfer abroad): Separate consent and protective measures required for transfer abroad

• Article 22 (Method of obtaining consent): Obligation to clearly inform each consent item separately

• Article 30 (Privacy Policy): Obligation for specific and clear public disclosure of the processing policy

In specific cases of Chinese smart devices, there is a significant likelihood that the requirements for separate consent and specific notification mandated by the Personal Information Protection Act are not met, as personal information is being processed for transfer abroad based solely on simple terms agreement. Furthermore, even though matters related to foreign transfers and personal information protection should be clearly notified in the privacy policy, there are many recent cases where specific information regarding the country of transfer, purpose of transfer, items transferred, and transferee (trustee) is not adequately and clearly communicated.

Moreover, effectively compelling consent as a condition for using app services incurs a risk of infringing the data subject’s right to self-determination regarding personal information.

Recently, the Personal Information Protection Commission imposed fines of approximately 0 billion won on AliExpress, a Chinese platform, for violating the Personal Information Protection Act. This indicates that the Commission is emphasizing that not only must overseas companies comply formally with domestic personal information protection laws, but also that the right to self-determination of domestic data subjects must be practically guaranteed, and active sanctions will be taken in the case of violations.

3.     Global sanctions against Chinese companies

Recently, sanctions against Chinese companies regarding the processing of personal information have been strengthened, particularly by the EU and the US. In January 2025, the European privacy protection organization noyb sued six Chinese companies, including TikTok and Xiaomi, for violations of GDPR. The core issues include the illegal transfer of EU user data to China, lack of transparency, and problems with the process of obtaining user consent.

A notable sanction case involves fines against TikTok. In 2021, the Netherlands imposed a fine of 750,000 euros for inadequate child data protection, while in 2023, Ireland imposed a fine of 345 million euros for problems with default public settings for youth accounts. The US also enacted the "Protection of Americans' Data from Foreign Adversaries Act (PADFA)" in 2024, prohibiting the sale of American citizens' personal data to "foreign adversaries" including China.

This strengthening of international regulations extends beyond just personal information protection issues to conflicts in global digital economy regulations. The fundamental clash between China's personal information protection laws and Western personal information protection laws is a key point, and the conflict is intensifying in terms of protecting national interests.

2. Conclusion and practical implications

The issues regarding personal information processing by Chinese smart devices need to be understood in a larger context beyond simple consumer choice — in terms of clashes in data regulation policies between countries. The trend of increasing sanctions against Chinese companies in the EU and the US will also be an important reference point for our country's personal information protection policies.

To protect domestic users' personal information, first and foremost, companies as data processors must clearly recognize their obligations to comply with domestic laws. In particular, obtaining separate consent from the data subject for the transfer of personal information abroad, clearly notifying the purpose and items of processing, and transparently publishing the privacy policy are essential. Additionally, the investigation of DeepSeek by the Personal Information Protection Commission and the sanction case against AliExpress show that there are no exceptions for foreign companies in complying with domestic laws.

From a consumer perspective, it is vital to carefully check the privacy policies of products when purchasing and using smart devices and to limit consent for the collection of non-essential personal information, thus actively exercising one’s right to self-determination regarding personal information. It is important to recognize that there may be risks of personal information breaches behind convenience and low prices, and raising awareness for personal information protection is crucial at this point.