The Personal Information Protection Commission (PIPC, chaired by Haksoo Ko, hereinafter referred to as the “Commission”) held its second plenary meeting on January 22 and imposed fines and penalties totaling KRW 8,375,200,000 on Kakao Pay and Apple for violating the Personal Information Protection Act (hereinafter referred to as the “Act”). Additionally, the Commission ordered Alipay to destroy its improperly established NSF (a customer credit score necessary for Apple’s batch payment system operation) score calculation model.
This investigation began in response to media reports that Kakao Pay had transferred user data overseas without consent. The investigation revealed that Kakao Pay provided all users’ personal information to Alipay for Apple’s user evaluation purposes without their consent, and Apple failed to notify users about the delegation of personal information processing and the transfer of data overseas.
From April to July 2018, Kakao Pay transmitted the personal data of approximately 40 million users to Alipay three times to facilitate Apple’s NSF score calculation. From June 2019 to May 2024, Kakao Pay continued transmitting personal data daily without obtaining consent for third-party provision or overseas transfer. Notably, personal information from all Kakao Pay users—not limited to Apple users—was provided to Alipay and used for NSF score calculations.
Apple delegated the processing of payment information and NSF score calculations to Alipay but failed to disclose this to users via its privacy policy or other means. Alipay built its NSF score calculation model using improperly provided data, and the Commission ordered the immediate destruction of this model.
The Commission imposed a fine of KRW 5,968,000,000 on Kakao Pay and a fine of KRW 2,405,000,000 with an additional penalty of KRW 2,200,000 on Apple. Both companies were issued corrective orders to comply with overseas transfer requirements, along with public disclosure orders. Alipay was mandated to destroy the NSF score calculation model.
The Commission emphasized the importance of compliance with legal requirements regarding the overseas transfer of personal information, particularly in light of the increasing prevalence of global platform services. The Commission urged businesses to thoroughly obtain user consent for overseas data transfers and ensure transparency through privacy policies. It also reiterated the need to strengthen legal responsibilities to safeguard user rights.
