Alleged Illegal Transfer of Personal Information on Alie?…3 Key Issues Between FSC and Kakao Pay

The Financial Supervisory Service (FSS) has uncovered that KakaoPay, which is the second-largest shareholder of Alipay, transmitted personal credit information to Alipay.

KakaoPay provided personal credit information of all its subscribers, including customers who did not use overseas payments. Since April 2018, the cumulative number of personal credit information records provided reached 54.2 billion (40.45 million people), including Kakao account IDs, mobile phone numbers, emails, as well as KakaoPay subscription details and transaction histories (balance, charging, withdrawal, payment, remittance details).

Additionally, for customers who used overseas payments, from November 2019, KakaoPay provided 550 million records of Kakao account IDs and order information (time, currency, amount, transaction type, etc.), and payment information (time, currency, amount, payment method, etc.) each time overseas payments were made. The FSS pointed out that KakaoPay provided credit information of overseas payment users to Alipay even though such information was unnecessary for settling overseas payment amounts with Alipay.

There are three major points of disagreement between the FSS and KakaoPay: misuse of customer credit information, information transmission under consignment, and encryption of information and customer consent. KakaoPay insists there were no illegal or unlawful acts in the process of transmitting personal credit information and that there are differences in legal interpretation, but the FSS finds it difficult to accept these claims.

KakaoPay’s second-largest shareholder is ‘Alipay Singapore Holding’ with a 32.06% stake. Alipay Singapore Holding is an Alipay-related affiliate of Ant Group, China’s largest fintech (finance + technology) company. Furthermore, KakaoPay is an early partner of Alipay’s global mobile payment service ‘Alipay Plus,’ supporting not only overseas payments by domestic customers but also domestic payments by overseas Alipay customers.

On the 13th, the FSS stated in a press reference material, “KakaoPay continues to provide credit information of all customers to (Alipay), raising concerns about misuse of customer information.” KakaoPay unnecessarily provided personal credit information of all customers, not only those subject to information transmission, to a third party.

KakaoPay transmitted personal credit information to Alipay at Apple’s request. When Apple requested customer-specific credit scores (NSF scores) necessary for its integrated economic system from Alipay, Alipay requested personal credit information from KakaoPay under the pretext of calculating NSF scores. During this process, the FSS revealed that KakaoPay provided Alipay with information of all customers, not only those subject to NSF score calculation.

KakaoPay denies any illegal provision of information. A KakaoPay official said, “There appear to be conflicting views on legal interpretation,” and added, “We will clarify specific details during the FSS investigation process.”

In response to the FSS’s claim that personal credit information was exchanged without customer consent, KakaoPay explained that it was a normal information transfer method under a consignment agreement. The information transfer was carried out as a processing consignment under the business consignment relationship among KakaoPay, Alipay, and Apple. According to the Credit Information Use and Protection Act (Credit Information Act), when information is transferred as processing consignment of personal credit information, the consent of the information subject is not required, KakaoPay explained.

The FSS judged otherwise, stating, “The relationship between KakaoPay and Alipay does not constitute a business consignment.” An FSS official told Asia Economy in a phone interview, “To consider this case as business consignment, Alipay, an electronic payment gateway (PG), would have to have NSF score calculation as its main business, but the general business of a PG company is payment settlement, isn’t it?” He added, “KakaoPay failed to submit a business consignment contract, and there was no evidence that it managed or supervised Alipay.”

According to the FSS, for ‘processing consignment of credit information’ to apply, the following conditions must be met: ▲ the consignor (KakaoPay) processes the information for its own business and benefit, ▲ the consignee (Alipay) does not have independent benefits other than the remuneration for processing the consigned work, and ▲ the processing is conducted under the consignor’s management and supervision.

KakaoPay also argued that customer consent was unnecessary because personal credit information was thoroughly encrypted. A KakaoPay official stated, “Since the information transmitted was absolutely undecipherable and could not identify whose information it was, it does not violate the Credit Information Act.”

However, the FSS found deficiencies in KakaoPay’s encryption method and maintains that customer consent is required even with meticulous encryption. An FSS official said, “KakaoPay has not changed the function structure necessary for encryption to date, so it is at a level where even the general public can decrypt (restore encrypted information to its original form).” He added, “Unlike anonymous information (which completely removes any connection to individuals so they cannot be identified), pseudonymized information (which cannot identify specific individuals without additional information) requires customer consent unless used for statistical or research purposes.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.