Recently, the way in which Roborock, a Chinese manufacturer of intelligent robotic vacuum cleaners, collects and processes personal information has sparked security controversies in the South Korean National Assembly.
Member of the Democratic Party of Korea, Kim Seung-won, of the National Assembly’s Political Affairs Committee, raised concerns during a comprehensive inquiry regarding the Personal Information Protection Commission and other institutions on October 28th. He pointed out, “Robotic vacuum cleaners have become essential in people’s lives, but concerns about personal data leaks and privacy infringements are on the rise.”
Initially, Roborock’s service terms stated that the data of Korean customers was collected in American data centers. However, after an amendment in March of this year, the terms were changed to indicate that data is now directly collected and processed in China.
Kim Seung-won further criticized, “If users do not agree to provide personal information, a product priced at approximately 1.7 million Korean won (about 9,000 Chinese yuan) becomes a ‘hollow vacuum cleaner,’ with almost all functions restricted, effectively creating a structure that forces users to provide personal information.”
He added, “More significantly, even if the data subject (user) does not agree, Roborock can still provide information to third parties under so-called ‘scope of rights’ terms.”
Kim Seung-won highlighted, “Especially in China, there are regulations such as the National Security Law and the Data Security Law, which allow the Chinese Communist Party not only to require Chinese citizens but also foreigners to provide information. There is a legal basis for this, and it is a cause for grave concern in reality.”
In response to these allegations, the managing director of Roborock’s Korean branch, Zhang Youzhen, stated, “To the best of my knowledge, personal information is securely processed in encrypted form at Amazon Web Services (AWS) data centers in the United States. Data such as photos and images are processed internally in encrypted form on devices and are not uploaded or stored on servers.” She added, “All data is handled in accordance with Korean laws and complies with relevant standards.”
Commenting on the issue, Chairwoman of the Personal Information Protection Commission in South Korea, Song Kyung-hee, explained, “Due to budget constraints, we currently only have three devices for direct analysis and have referenced data from two devices submitted in the past for Privacy by Design (PbD) process analysis. There is indeed an issue with inadequate equipment.”
She further elaborated, “The current personal information processing process is very complex, involving devices like robotic vacuum cleaners, smartphone application controls, routers, and server hosts (base center stations), with information passing through multiple devices and paths.”
Song Kyung-hee stated, “It is necessary to analyze in detail how personal information is transmitted during this process, whether encryption is adequate, and where the data is ultimately stored. Therefore, we have been emphasizing the importance of establishing a technical analysis center. We have been striving to secure a budget for this purpose, but unfortunately, it has not been approved. We will make every effort to continue advancing the relevant work.”