With the recent National Assembly audit raising the issue of customer data leaks at the Chinese online travel agency (OTA) Trip.com, attention is growing on China's National Intelligence Law, cited as the backdrop. The law requires all organizations and citizens to support the state's intelligence activities, prompting concern that the Chinese government could indiscriminately harvest information on users in Korea through Chinese platforms used by Koreans.
Kim Jae-seop of the People Power Party said at the National Policy Committee audit on 14th, "Trip.com's terms of service state that it can share users' personal information with its affiliates," adding, "In effect, there is a high possibility that the personal information of citizens of the Republic of Korea will be leaked to a Chinese-affiliated company." He continued, "Promise to amend the clause that says the company can share user information with its affiliates."
Hong Jong-min, head of Trip.com's Korea office, who appeared as a witness that day, said, "It is not something I can decide; I will report it to headquarters and review it." Personal Information Protection Commission Chairperson Song Kyung-hee said, "The PIPC previously investigated and took action against Trip.com, and we will further look into whether there have been any violations since."
Trip.com Group is registered as a Singapore entity but is a Chinese-affiliated company headquartered in Shanghai, China, with multiple Chinese subsidiaries, including the global flight search platform Skyscanner.
Trip.com's terms of service state that "various information, including reservation product information, name, mobile phone number, and email, as well as date of birth and passport number, residence, and chat app IDs such as KakaoTalk, may be transferred overseas." Users may refuse consent to the overseas transfer of personal information; however, if they refuse, they are informed that "use of the service will be restricted."
China's National Intelligence Law is cited as the background for the emergence of such terms. Enacted in 2017, the law defines the authority of intelligence agencies and the obligation of citizens and organizations to cooperate, mandating support for the government's intelligence activities. The law can affect corporations that host servers in China or overseas branches of Chinese-affiliated corporations.
For example, Article 7 of the National Intelligence Law states, "All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with the law." Article 10 provides that "national intelligence agencies may, in accordance with the law, request necessary information, materials, and technical support," and Article 14 declares that "national intelligence agencies may cooperate with relevant agencies, organizations, and citizens to carry out intelligence collection."
In addition, China enacted the Data Security Law in 2021, whose Article 35 states, "When public security or state security organs collect data in accordance with the law as needed to safeguard national security or investigate crimes, they shall comply with legal procedures such as approval procedures in accordance with relevant provisions, and relevant organizations or individuals shall cooperate."
A variety of Chinese platforms are currently operating in Korea. Among them, there have been cases in which actual data leak activities were detected and punished. The Chinese e-commerce platform Temu was found to have transferred personal information, including names and personal customs codes, to China and elsewhere without the consent of domestic users. The Personal Information Protection Commission imposed a penalty surcharge of 1.369 billion won and fines of 17.6 million won in May and resolved corrective orders and other measures.
Customer information and data management were key issues in the launch process of the joint venture between Shinsegae Group's e-commerce platform Gmarket and China's AliExpress, which was approved by the Fair Trade Commission recently. As a condition for approval of the joint venture, the commission required the two sides to technically segregate consumer data they hold.
In relation to this business combination, Shinsegae Group Chairperson Chung Yong-jin was also selected as a witness for the Trade. Industry Energy. SMEs. and Startups Committee audit to be held on 24th. The committee plans to ask about "the protection of domestic consumers' information on online platforms" in connection with the establishment of the Gmarket–AliExpress joint venture.
An information security industry official said, "Because China's National Intelligence Law can serve as a legal basis for domestic users' personal information to be provided to the Chinese government, our government should step in to examine the flow of personal information transfer overseas by Chinese platforms and prepare countermeasures accordingly."