my timesThe Korea Times
  1. Business
  2. Tech & Science

Concerns persist over Chinese appliance makers’ personal info protection

Listen
By Nam Hyun-woo
  • Published Jul 15, 2025 4:01 pm KST
  • Updated Jul 15, 2025 4:08 pm KST

Calls grow for tougher oversight of Chinese firms’ data compliance

Models promote Roborock's new vacuum cleaner at a pop-up in Shinsegae Department Store Gangnam in Seoul, June 17. Courtesy of Shinsegae Department Store

Models promote Roborock's new vacuum cleaner at a pop-up in Shinsegae Department Store Gangnam in Seoul, June 17. Courtesy of Shinsegae Department Store

Doubts continue to mount over Chinese home appliance makers’ personal data protection policies in Korea, as companies such as Xiaomi and Roborock maintain practices that allow their headquarters in China to access Korean users’ private information.

Roborock, the world’s biggest robot vacuum cleaner maker, recently faced controversy over a March 14 update to the privacy policy of its official Korean website, which stated that the company “collects and processes users’ personal information in China in order to provide services.”

It added the same clause to its updated privacy policy for its smartphone app on March 31. The previous version, which took effect on Oct. 22, 2024, had stated that data from Korean users would be collected through a U.S.-based data center, but the new version replaced that with a table that suggested data would be collected through centers in Singapore and other countries.

To fully use the features of Roborock robot vacuum cleaners, users are required to install the smartphone app and sign up for an account. Since the devices collect images and data from inside homes through built-in cameras and sensors, consumer concerns over privacy continue to grow.

China’s Cybersecurity Law is also triggering concerns among users, as it requires Chinese companies operating both domestically and abroad to provide data to the Chinese government upon request under certain conditions.

Amid growing controversy and complaints in Korean online user communities, Roborock on July 10 said on its Korean website that the phrase means that “Roborock, as the data controller, is in the position of overseeing the collection and processing of personal information.”

“It does not mean that users’ data is transferred to or stored in China,” the statement read. “Korean users’ personal information is stored at a data center located in the United States in an encrypted form.”

The company, however, said that its Chinese headquarters can “access a very limited level of personal information under thorough control,” adding that Korean law requires it to disclose the location of the data controller’s country — China — even if the data is collected and processed in the U.S.

It also said, “When providing the personal information of Korean users to third parties, including foreign governments, we strictly comply with Korea’s Personal Information Protection Act.” However, the company did not provide detailed information on the circumstances under which its Chinese headquarters can access the data.

Visitors inspect Xiaomi products at the brand's official offline store at IFC Mall in Seoul, June 25. Yonhap

Visitors inspect Xiaomi products at the brand's official offline store at IFC Mall in Seoul, June 25. Yonhap

Xiaomi, which set up its Korean entity in January and recently opened its first official offline store in Seoul, is also facing similar concerns.

Xiaomi has stressed that its servers are also located in Europe, Singapore and other countries, separate from those in China. The company said that this setup prevents the personal data of Korean users from being transmitted to China.

The company’s privacy policy states that the personal data of Korean users is stored at a data center in Singapore, but also notes that the countries hosting its global facilities and third-party service providers may not offer the same level of personal information protection as Korea.

Of greater concern are the persistent suspicions that Chinese IT companies have been using the personal information they collect for various purposes, including product development.

In April, the Korean government’s Personal Information Protection Commission announced that Chinese artificial intelligence (AI) service provider DeepSeek had transferred Korean users’ private data without consent during its service period to a total of four companies based in China and the U.S. Industry officials suspect that the information may have been used for various purposes, including product development and improving AI performance.

“Through their privacy policies, Chinese companies may claim that no personal data is sent to China without consent, but it is hard to verify this until a breach occurs,” said Lim Jong-in, distinguished professor at Korea University’s School of Cybersecurity.

“China’s privacy protection standards are not on par with those of other developed countries, raising concerns that customer data could be used for privacy violations, espionage or product development… Although companies claim to store data in Singapore, there remains a possibility that it could later be transferred to China. This is why authorities must closely monitor whether Chinese companies comply with Korea’s personal information protection laws.”