The penalties stem from unauthorised transfers of personal data involving approximately 40 million users to Alipay, a Chinese payment platform.
The PIPC's investigation revealed that between April and July 2018, KakaoPay transferred sensitive user data to Alipay without obtaining proper consent. This data, spanning 24 categories, included phone numbers, email addresses, account balances, and other personal details. The transfers were carried out to calculate 'NSF scores,' which assess the likelihood of insufficient funds during bundled microtransactions, as part of Apple’s payment evaluation process.
Notably, these transfers involved all KakaoPay users, even though only 20% of them had registered Apple Pay as a payment method. Neither KakaoPay nor Apple disclosed these international data transfers in their privacy policies, leaving users unaware of the practices.
KakaoPay received a fine of USD 4.14 billion for its role in the unauthorised data transfers and was ordered to address compliance issues. The company must publicly disclose the violations on its website and app.
Apple was fined USD 1.7 billion for outsourcing data processing to Alipay without informing users and for failing to update its privacy policy to reflect the transfers. The company has been instructed to rectify its practices and make the violations public.
The PIPC has also directed Alipay to destroy its NSF score calculation models based on the transferred data. Furthermore, financial regulators, including the Financial Supervisory Service and the Financial Services Commission, are expected to address related violations involving unauthorised financial data sharing.
The ruling highlights the importance of transparency in data handling and compliance with privacy laws, setting a precedent for international companies operating in South Korea.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now