South Korea’s privacy watchdog has just taken a big swing and fines e-commerce giant AliExpress. This move shows the country means business when it comes to protecting its citizens’ personal info, even when dealing with big-name international players.

Overview of South Korea’s fine on AliExpress

On 25 July 2024, South Korea’s Personal Information Protection Commission (PIPC) dropped a bombshell. They’ve hit Alibaba.com Singapore E-Commerce Private Limited, which runs AliExpress, with a whopping 1.97 billion won fine (that’s about $1.43 million) for breaking the country’s Personal Information Protection Act (PIPA). Oh, and they tacked on an extra 7.8 million won (around $5,640) as a penalty surcharge.

The PIPC dug into AliExpress’s operations and found out that the company had been passing on the personal details of about 180,000 South Korean users to Chinese sellers without dotting their i’s and crossing their t’s when it comes to consent and safety measures. This data handover was part of AliExpress’s usual business routine, where they play matchmaker between buyers and sellers and pocket a slice of the sales as their fee.

Timeline to comply

In South Korea’s fine on AliExpress, the PIPC hasn’t spelled out exactly when AliExpress needs to get its act together. But they’ve made it clear they’ll be keeping a close eye on how the company follows through on their orders and suggestions for improvement. This ongoing scrutiny hints that AliExpress better move fast to make the required changes and show they’re serious about keeping South Korean users’ personal info safe.

Commissioner’s findings

The PIPC’s investigation uncovered several violations of PIPA by AliExpress.

  • Failure to notify users about the country to which their personal information was being transferred.
  • Lack of proper disclosure regarding the names and contact information of overseas recipients of personal information.
  • Inadequate reflection of necessary personal information protection measures in seller terms and conditions.
  • Making it difficult for users to exercise their rights by configuring the membership withdrawal menu to be hard to find
  • Displaying the account deletion page in English instead of Korean

These violations contravened Article 28(8) of PIPA, which deals with overseas transfer of personal information, and Articles 31(2) and 38, which concern the exercise of data subject rights.

What you can learn from South Korea’s fine on AliExpress

South Koreas fine on AliExpress case highlights a few lessons for businesses operating in or targeting South Korean consumers.

  • Compliance is borderless. Even as an international company, AliExpress was held to the same standards as domestic South Korean businesses.
  • Transparency is key. Clear communication about data transfers and processing is essential.
  • User rights matter. Making it easy for users to exercise their rights (like account deletion) is not just good practice, it’s the law.
  • Language considerations. Important information should be available in the local language.

Actions you can take next

  • Protect yourself by conducting a gap analysis. Review your current data practices against Nigerian laws.
  • Ensure compliance by working with our team to tailor your privacy policies.
  • Ensure compliance by asking us to create a compliant processes for cross-border data transfers.
  • Join our Data Protection programme which can help you stay ahead of regulatory changes.