What: South Korea fines Apple Pay and KakaoPay USD 5.8 million for transferring 40 million users' personal data to Alipay without consent.

Why it is important: This regulatory action signals stricter enforcement of data privacy in payment systems, affecting how retailers must approach customer data management and third-party partnerships.

South Korea's Personal Information Protection Commission has imposed significant fines totalling 8.3 billion won (USD 5.8 million) on KakaoPay and Apple Pay for unauthorised data transfers to China's Alipay. The investigation revealed that KakaoPay shared personal information from approximately 40 million users with Alipay for Apple's payment evaluation processes, specifically for calculating NSF scores that assess insufficient funds risk during bundled microtransactions. The violations occurred between April and July 2018, with KakaoPay transferring data across 24 categories, including sensitive information such as phone numbers, email addresses, and account balances. The scope of the breach was particularly concerning as it affected all KakaoPay users, despite only 20% having registered payment methods with Apple Pay. KakaoPay received the larger penalty of USD 4.2 million for unlawful international data transfers, while Apple was fined USD 1.7 million for failing to disclose its outsourcing of data processing to Alipay. Both companies must publicly disclose these violations and implement corrective measures.

IADS Notes: The South Korean privacy violation case emerges amid heightened global scrutiny of payment data handling. As noted in November 2024, 75% of consumers now base their purchasing decisions on companies' data practices, making such violations particularly significant for retail operations. The timing is especially critical as payment systems become increasingly complex, with January 2025 data showing sophisticated fraud prevention systems blocking nearly USD 917 million in fraudulent transactions during a single shopping weekend. The case also highlights the challenges of cross-border data management, paralleling March 2024's implementation of Alipay+ by El Corte Inglés for Asian customers, though with stricter compliance measures. This regulatory action follows a broader trend of payment system oversight, exemplified by March 2024's USD 30 billion settlement between US retailers and major card networks over transaction fees, demonstrating how payment providers must balance innovation with regulatory compliance and consumer trust.

Apple Pay and KakaoPay fined over data privacy violations in South Korea