Republic of Korea: Personal Information Protection Commission fined Kakao Pay, Apple and Alipay for unauthorised overseas data transfers

On 23 January 2024, the Personal Information Protection Commission (PIPC) fined Kakao Pay and Apple a combined KRW 8.3752 billion for unauthorised overseas transfer of personal data. Kakao Pay was fined KRW 5.968 billion for transferring data of approximately 40 million users to Alipay without consent to develop NSF scores (used to predict insufficient funds for payments). This included data of non-Apple users, violating the Personal Information Protection Act. Apple was fined KRW 2.45 billion, with an additional penalty of KRW 2.2 million, for failing to disclose Alipay as its overseas trustee in its privacy policies. Alipay, responsible for building NSF score models using this data, was ordered to destroy the model due to its illegal creation. The PIPC emphasised that businesses must obtain explicit consent for international transfers or inform users through privacy policies when entrusting data processing to overseas entities. Kakao Pay and Apple have been instructed to ensure compliance and disclose these violations on their websites.