On August 13, the Financial Supervisory Service (FSS) of South Korea announced the results of its investigation into the online payment platform Kakao Pay. The findings revealed that Kakao Pay had transmitted users' personal information from South Korea to Alipay in China without obtaining user consent. The FSS indicated that this behavior might violate South Korea's Credit Information Use and Protection Act, and is currently considering appropriate sanctions against the company. Furthermore, the FSS plans to conduct a deeper investigation into whether other mobile payment platforms have similar issues. Consequently, Kakao Pay may face significant penalties.
Case Background
Kakao Pay is South Korea's most popular mobile payment platform, offering services such as online payments, transfers, bill payments, and investment management. The platform has accumulated over 40 million users, making it the most commonly used mobile payment method in South Korea, often referred to as the "Alipay of Korea." Kakao Pay's second-largest shareholder is also Alipay, a subsidiary of China's largest fintech company, Ant Group.
Between May and July of this year, the FSS inspected Kakao Pay's foreign exchange transactions and discovered that Kakao Pay had provided Alipay with personal information of all its users, including those who had never used its overseas payment services. This information included sensitive data such as Kakao account IDs, phone numbers, email addresses, as well as Kakao Pay's registration and transaction records.
Overseas Payment Information
Since Kakao Pay has not yet established a complete international payment network, it allows its users to make payments at overseas merchants contracted with Alipay through their partnership. However, even in some overseas payment settlements where user information was not required, Kakao Pay disclosed this information to Alipay without user consent. When users make payments at overseas merchants contracted with Alipay, Kakao Pay’s account information, order details (including time, amount, and transaction type), and payment data (such as currency type and payment method) are shared with Alipay. FSS officials noted: “Since Kakao Pay account information is included in the settlement information shared, Alipay can combine users' credit information with their order and payment details. We believe Alipay may have requested this information for marketing purposes.” Since 2019, Kakao Pay has provided Alipay with 550 million pieces of personal information related to overseas payment users.
User Credit Information
According to the FSS, Kakao Pay leaked user credit information to Alipay to offer payment services on Apple's App Store. Apple requires all payment platforms in its App Store to provide customer NSF scores (Non-Sufficient Funds, a credit score needed by Apple to operate its unified payment system). As a result, Kakao Pay provided user credit information to Alipay for score calculation and other data processing activities. The FSS pointed out that NSF score calculations only require credit information from users of the service, but Kakao Pay provided Alipay with credit information for all users, including those who never used the overseas payment service. This practice exceeded the reasonable scope of user personal information processing required by Alipay and could likely lead to the improper use of customer information. Since April 2018, Kakao Pay has been transmitting this type of information to Alipay once a day, involving approximately 40.45 million users and 54.2 billion records of personal information to date.
Controversy
In response to the allegations made in the FSS investigation report, Kakao Pay defended itself, insisting that it did not illegally provide user information to Alipay. Firstly, Kakao Pay stated that the user information provided to Alipay was based on a business outsourcing relationship and that, according to Article 17, Paragraph 1 of the Credit Information Use and Protection Act, personal credit information transferred due to outsourced processing does not require the consent of the information subject. Secondly, Kakao Pay emphasized that before providing user information to Alipay, it had encrypted the information, ensuring that even if the information were illegally obtained, it could not be restored to its original state, thereby effectively protecting user privacy.
However, the FSS did not accept Kakao Pay's explanation. The FSS pointed out that there was no contract between Kakao Pay and Alipay regarding the generation of NSF scores, and that the information provided by Kakao Pay exceeded the scope agreed to by the information subjects. Although Kakao Pay claimed to have encrypted the information, the FSS argued that the encryption measures only involved basic encryption of user personal information without using random values, and the structure of the encryption function remained unchanged. The FSS concluded that this level of encryption was insufficient to fully protect user privacy.
Next, the FSS plans to send a detailed investigation report to Kakao Pay and will issue a final decision on how to proceed.
