On July 24, 2024, the Personal Information Protection Commission (PIPC) of South Korea decided to fine Alibaba.com Singapore E-Commerce Private Limited (referred to as "Alibaba") 1.978 billion won (approximately $1.43 million) for violating South Korea's Personal Information Protection Act by transferring user personal information across borders, and ordered it to make corrections.
Case Background
Alibaba provides a platform called "AliExpress" where sellers can sell products to consumers in multiple countries and regions, and Alibaba takes a percentage of the sales as a commission. AliExpress has become one of the largest e-commerce platforms globally, and its business in South Korea has been expanding, with the platform's Korean user base reaching 8.41 million by the end of the second quarter of this year.
The rapid rise of foreign e-commerce platforms has raised concerns in South Korea about personal privacy. The PIPC began investigating relevant platforms in October of last year. According to the PIPC's findings, after users purchase goods, AliExpress transfers their personal information to foreign sellers for delivery, and more than 180,000 Chinese sellers have received the personal information of Korean users. However, Alibaba did not provide the required information to users nor take appropriate protective measures as stipulated by South Korea's Personal Information Protection Act.
Enforcement Analysis
The PIPC determined that Alibaba violated Article 28-8 of South Korea's Personal Information Protection Act regarding the notification obligations for cross-border transfers of personal information, and Article 29-10 of the Personal Information Protection Act Enforcement Decree concerning protective measures for cross-border transfers of personal information. Specifically:
(1) Notification Obligations
Article 28-8, Paragraph 1 of South Korea's Personal Information Protection Act stipulates that cross-border transfer of personal information is only permissible under specific conditions, including the data subject's explicit consent, legal or treaty provisions, for entering into or performing a contract with the data subject, certification of the recipient by the PIPC, and if the recipient country is recognized by the PIPC as having a level of personal information protection comparable to South Korea. Paragraph 2 requires that when consent is obtained from the data subject, they must be informed in advance of: (1) the specific content of the personal information to be transferred; (2) the country, date, and method of transfer; (3) the name and contact information of the recipient; (4) the purpose for which the recipient will use the personal information and the retention period; (5) the method for refusing the transfer of personal information and the impact of such refusal.
In this case, Alibaba could only transfer user personal information to overseas sellers based on the data subject's consent but did not notify users of the country of transfer, recipient's name and contact information, and other statutory information as required by Paragraph 2.
(2) Protective Measures
Article 29-10 of the Personal Information Protection Act Enforcement Decree requires that cross-border transfers of personal information must include security measures, handle complaints and resolve disputes related to personal information leakage, and provide other necessary protective measures, which should be included in contracts with the personal information recipients.
In this case, the contract between Alibaba and the sellers (i.e., the recipients of personal information) did not reflect the protective measures required by the aforementioned provisions.
Additionally, the PIPC found that the AliExpress platform's member cancellation page was difficult to locate and that the account deletion page was displayed in English, which made it challenging for users to exercise their rights.
During the investigation, Alibaba has already taken corrective actions on its own, such as obtaining user consent for the cross-border transfer of personal data as required by law and revising its personal information handling policies to comply with South Korea's Personal Information Protection Act.
Compliance Implications
Legislation in various countries has strict regulations regarding cross-border data transfers, and companies operating internationally should pay special attention to this. Generally, cross-border data transfers are prohibited except in a few exceptions. Common exceptions include if the recipient country is recognized as having an equivalent or higher level of data protection, if standard contractual clauses (SCCs) are signed, or if there is a temporary, limited transfer with the data subject's consent. However, regulations vary widely among countries and may have different obligations for different situations. The fine imposed on Alibaba may be due to insufficient assessment of South Korean laws and lack of targeted compliance measures, so companies operating internationally must carefully consider legal differences and ensure compliance with local regulations.
Regarding data subject consent, legislation generally requires that consent be clear, specific, and given voluntarily with full knowledge. Therefore, when obtaining user consent, companies must ensure that users are provided with sufficient information and that the consent is specific.
For user interfaces, especially those involving important user rights, companies should design them to be simple, understandable, and easy to operate to ensure users can exercise their rights or access related services.
Additionally, the PIPC's recommendations for companies operating in South Korea are worth noting:
- Publicize personal information handling processes transparently and understandably, and keep them updated regularly.
- In addition to appointing a domestic representative in South Korea, make substantial efforts to protect personal information, such as developing and implementing specific plans for handling related complaints and remedies.
- Adhere to the principle of minimal necessity when collecting and processing personal information, participate in public-private cooperation self-regulation standards for Korean e-commerce enterprises, or provide an equivalent level of personal information protection.
