Obtaining consent, clearly outlining privacy policies, and adopting robust internal governance are some key considerations for businesses as shown in South Korea's fines on Kakao Pay and Apple for cross-border transfers.
Shutterstock.com/Surasak_Ch
Digital payment services and cooperation between different platforms heightens compliance risks on data privacy and protection laws. On 22 January 2025, South Korea’s Personal Information Protection Commission (PIPC) imposed a total of 8.38 billion won (US$5.81 million) fines (Korean language only) on Kakao Pay and Apple for transferring personal data to Alipay without customer consent.
The PIPC found that Kakao Pay transferred personal data to Apple through Alipay, which provides payment system integration services within Apple. Meanwhile, Apple entrusted Alipay with calculating non-sufficient funds (NSF) scores and processing personal data for payment. NSF scores show how likely a customer is to run out of money when combining small payments into one. The PIPC’s decision came after an on-site inspection by the Financial Supervisory Service (FSS) which revealed in August 2024 that Kakao Pay had provided customer credit information of up to 40 million users to third parties without their consent.
The PIPC said the penalties clarify the scope of cross-border data transfer rules and data privacy laws for businesses, including obtaining separate consent from data subjects, notifying users of their privacy policies for cross-border data transfers, and safeguarding data when entrusting third parties.
Experts told Lexology PRO that businesses should adopt a more granular approach to user consent frameworks, enhance transparency in data handling processes, and implement robust internal governance to comply with evolving data privacy regulations and mitigate costly legal disputes.
What are the key violations found under the PIPC’s investigation?
Transfer of data without consent
The PIPC found that Kakao Pay transferred the personal data of up to 15.9 million users to Alipay on three occasions between April and July 2018. Alipay used the data to build a model for NSF score calculation. The data transferred included 24 items, such as unique user numbers, mobile phone numbers, and email addresses.
Furthermore, between June 2019 to May 2021, Kakao Pay transferred the personal data of all its users to Alipay daily. The transfers included non-Apple users, totalling 40 million users, even though less than 20% of Kakao Pay’s users registered Kakao Pay as a payment method with Apple. Alipay calculated NSF scores in advance and responded immediately when Apple inquired about a user’s NSF score. As a result, Kakao Pay users were unaware that their personal information was being transferred and processed overseas.
The PIPC imposed a 5.97 billion won (US$4.14 million) penalty on Kakao Pay and a correction order to meet the country’s cross-border data transfer rules. The regulator also required Kakao Pay to disclose the sanction results on its website and mobile app.
Failure to disclose overseas trustee in privacy policy
The PIPC found that Apple did not disclose Alipay as an overseas trustee for cross-border transfers of personal data in its privacy policy. Apple entrusted Alipay with its system integration process, including the processing of personal data for payment information and the calculation of NSF scores.
The regulator fined Apple a total of 2.4 billion won (US$1.67 million) for the violation above. The PIPC also imposed a 2.2 million won (US$1,526) fine on Apple for failure to inform data subjects of the practice and issued a correction order to include the transfer of users’ personal data to Alipay in its privacy policy.
Unauthorised use of personal data for NSF score calculation
The PIPC instructed Alipay to destroy the model as it found that the model violated South Korea’s data privacy laws and cross-border transfer rules for personal data.
Key considerations for businesses
Be clear on personal data processing practices in privacy policies
The case underscores the significance of transparency in privacy policies. Businesses should clearly outline the types of personal data collected, the purposes of the processing, the retention period, and the intended recipients. Particularly, businesses should include any overseas third parties involved in data handling and processing. FSS’s inspection revealed that Kakao Pay’s terms and conditions did not mention providing customer information to third parties (Korean language only).
Obtain separate consent from data subjects
Regulatory investigations such as the PIPC’s on the payment companies highlight the need for businesses to obtain explicit opt-in consent from users for each specific data processing activity, including cross-border transfers. Such measures could involve presenting a set of checkbox consents that are not pre-ticked.
“Businesses must transition towards a framework in which user consent for the collection, use, and transfer of personal data is obtained in a more explicit and granular manner. Enhancing transparency and implementing intuitive consent procedures are essential to ensuring that users fully understand how their personal information is being utilised,” said Jeonghee Kang, partner at Bae, Kim & Lee.
Navigate extraterritorial data privacy laws
Companies operating internationally should stay informed about evolving data privacy rules that may be applicable extraterritorially. “Adequate consent is a core pillar of most data protection regimes – even in jurisdictions that do not expressly restrict cross-border data transfers (like Hong Kong); extraterritoriality is a feature of several of the new Asian data privacy regimes; and data privacy regulators across Asia are flexing their powers (however extensive or limited), demonstrating their collective intention to operate as a modern regulators rather than their perceived previous role as data rights educators,” said Jonathan Crompton, partner at RPC.
Establish robust internal data protection governance
In addition to privacy policies, businesses should implement robust internal measures to safeguard personal data. “Companies must establish robust internal data protection governance while strengthening compliance capabilities through regular internal training and legal assessments. It is critical to develop internal policies that ensure full adherence to legal standards at every stage of the data lifecycle, including collection, processing, storage, and deletion,” Kang at Bae, Kim & Lee added.
“This actually is a very positive development because it encourages better data governance across industries. Failure to comply with data protection rules is increasingly leading to potential lawsuits, which can be very expensive particularly if there were any cross-border transfers of the data,” said Peter Kwon, partner and head of Korea desk at RPC.