This site is the official e-Government website of the Republic of Korea.
Notice / Press Release
| Title | The PIPC Sanctions Kakao Pay and Apple for Unlawful Cross-Border Data Transfer | ||
|---|---|---|---|
| Department | Date | 2025.01.31 | |
| Attachment | press release PIPC Sanctions Kakao Pay and Apple for Unlawful Cross-Border Data Transfer-rev2.pdf | ||
| Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2771 | ||
| Contents |
Press Release The PIPC Sanctions Kakao Pay and Apple for Unlawful Cross-Border Data Transfer - Separately, a correction order was issued on Alipay to destruct a model for calculating Non-Sufficient Funds (NSF) scores built upon the personal information provided without obtaining consent from users
January 23, 2025 (This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (PIPC) held its 2nd plenary meeting of 2025 and reached a decision to sanction Kakaopay Corp. (Kakao Pay), Apple Distribution International Limited (Apple) and Alipay Singapore E-Commerce Private Limited (Alipay), respectively, for their failures to comply with the legal requirements concerning cross-border transfer of personal data under the Personal Information Protection Act (PIPA) on January 22, 2025. Administrative sanctions by the PIPC are as follows:
● Kakao Pay: A penalty for violations (Gwajinggeum) of KRW 5.97 billion (USD 4.16 million); ● Apple: A penalty for violations (Gwajinggeum) of KRW 2.4 billion (USD 1.68 million) and a fine for wrongdoing (Gwataeryo) of KRW 2.2 million (USD 1,532); and ● Alipay: A correction order to destruct a model for calculating an Non-Sufficient Funds (NSF) score of each user.
An NSF score refers to a customer-specific score that indicates whether the customer would have enough money to cover all transactions when using Apple’s App Store.
The PIPC started launching investigations into the aforementioned businesses as media outlets reported that Kakao Pay transferred the personal information of its users to Alipay without gaining proper consent. The users were not aware of what kind of information was moved beyond the Korean jurisdiction, and Apple failed to notify its users of the entrustment of personal data processing to Alipay, a third-party entity which received relevant personal information from Kakao Pay and calculated NSF scores.
The following explains violations found as a result of the PIPC’s investigations on the three businesses’ failure to comply with the PIPA.
I. Investigation Results 1. Kakao Pay: Provision of personal information of all users directly to Alipay without obtaining consent
Kakao Pay transferred payment information and others to Apple through Alipay, a third-party service provider for consolidated payment processing, and Apple entrusted Alipay with the processing of associated personal data.
Entering Kakao Pay’s cross-border data transfer, the company’s violations can be largely grouped by two. First, Kakao Pay transmitted the personal data of all its users three times to build a model to calculate NSF scores. Second, the company sent vast amounts of personal information of its users every day, once the model was set up. Specific violations are as follows:
1) Kakao Pay transmitted the personal information of all its users three times to Alipay without gaining consent from its users to help Alipay build a model to calculate NSF scores from April to July 2018. Kakao Pay extracted information about 16 million users in a way that Alipay requested and sent the information to Alipay. A total of twenty-four types of unique user-specific numbers, including hashed internal customer numbers, phone numbers, and email addresses, the information associated with the probability of lack of money (joined date, accounts verified with account holders’ ID, balance, and the numbers of top-up, payments and remits over the past seven days). 2) For NSF score calculations, Kakao Pay sent the personal information of its 40 million users when de-duplicated without gaining proper consent every day from June 27, 2019, to May 21, 2024.
In particular, the company sent not only the personal data of iOS users who registered Kakao Pay as a payment method but also that of Android users, even though iOS users only account for less than 20% of the users registered Kakao Pay as their payment method. Moreover, it was the only business calculating NSF scores through Alipay’s system among the domestic payment methods linked to users’ Apple ID.
In this regard, around 40 million Kakao Pay users were not aware of the daily cross-border transfer and processing of their personal information beyond the domestic privacy framework.
2. Apple: Failures to inform data subjects of the entrustment of personal data processing and cross-border data transfer
Apple entrusted system integration (SI) tasks to Alipay, including application programming interface (API) development that enables users to use payment methods for its services. The company allowed Alipay to process payment information and personal data necessary for NSF score calculations of Kakao Pay’s users. Still, it failed to notify its users of the entrustment of personal data processing and cross-border data transfer in its privacy policy and other means. This non-compliance violated the rights of Kakao Pay’s users as data subjects pursuant to Article 28-8 of the PIPA regarding cross-border data transfer.
In its privacy policy, Apple has been listing NHN KCP, a payment gateway (PG) company, as one of is its overseas entities entrusted with SI tasks, while, at the same time, failing to include Alipay on its list. In this sense, users were not informed of and were not capable of knowing Alipay’s processing of their personal data.
3. Alipay: Building a model for calculating NSF scores and generating scores out of the personal information provided without consent
Alipay was provided with the personal data of all users from Kakao Pay every day, generated user-specific NSF scores, and updated the model based on the incoming data. It also responded to the request of Apple asking the company to fetch some of the users’ NSF scores.
II. Sanctions 1. Kakao Pay: An administrative penalty, along with correction and publication orders
The PIPC saw Kakao Pay’s provision of personal information to Apple (directly to Alipay) to build a model for calculating NSF scores without obtaining proper consent from users as non-compliance with the PIPA regarding obtaining consent for cross-border data transfer. As a result, the PIPC resolved to impose an administrative penalty of KRW 5.97 billion, along with a correction order, to meet the legal requirements for cross-border data transfer. A publication order to disclose the sanction results on its website and mobile app was also issued. The provision of users’ personal credit information to third parties is under a separate review by the Financial Services Commission (FSC) pursuant to the Credit Information Use and Protection Act.
2. Apple: An administrative penalty, an administrative fine, along with correction and publication orders
Entering Apple’s violations, the PIPC imposed KRW 2.4 billion on Apple for not indicating an overseas entity entrusted with the processing of personal data in its privacy policy or other means. The PIPC also imposed KRW 2.2 million on the company for not informing data subjects of the entrustment of personal data processing along with a correction order to include the cross-border transfer of users’ personal information due to the entrustment of processing personal data to Alipay in its privacy policy.
3. Alipay: A correction order
Meanwhile, Alipay’s model for calculating NSF scores was built upon the unlawful provision and cross-border transfer of personal information. To address the root cause of violations of the PIPA, the PIPC issued a correction order on the third-party payment platform to destruct the model.
III. Key Takeaways
The sanctions against the three large technology companies hold significance in that the results clarify the scope of cross-border transfer of personal data and reaffirm that businesses should adhere to legal requirements for cross-border data transfers as we are witnessing a growing number of cross-border data transfers precipitated by global platform services expanding their presence in every corner of the world.
To meet the legal requirements for cross-border data transfers, business operators should obtain separate consent from data subjects when providing the services accompanied by cross-border data transfer. They are also required to notify data subjects in their privacy policy that their personal information moves beyond the territory of the country when entrusting personal data processing to an overseas entity.
Businesses entrusting data processing to an external entity should take responsibility for safeguarding data subjects. When personal information is transferred to a third party and when such a third party assumes responsibility related to personal information processing, such transfer would no longer be deemed entrustment. As such, an entity transferring personal information should have a legal basis, such as obtaining consent from the data subjects.
* A PDF file, formatted for better readability, is attached. |
||