Korean PIPC Fines AliExpress $1.43M for Data Protection Violations

 

On 24 July 2024, the Korean Personal Information Protection Commission (PIPC) concluded its 13th plenary meeting by imposing significant sanctions on AliExpress for violations of the Korean Personal Information Protection Act (PIPA). AliExpress, managed by Alibaba.com Singapore E-Commerce Private Limited, faces a penalty surcharge of 1.978 billion KRW ($1.43 million) and an administrative fine of 7.8 million KRW ($5,631). This action follows extensive investigations prompted by privacy concerns from the National Assembly in October 2023 and widespread media coverage.

 

Background

AliExpress, a global online marketplace, transfers buyers’ personal data to third-country sellers for shipping, which in AliExpress’ case included transferring data of over 180,000 Korean buyers to Chinese sellers. The PIPC found that AliExpress did not meet PIPA’s stringent requirements for cross-border data transfers, including obtaining explicit consent from users and ensuring robust safeguards and redress mechanisms.

 

Results

The investigation revealed multiple compliance failures by AliExpress:

    • Failure to Notify: Users were not adequately informed about the transfer of their personal data, including the recipient’s country and contact details.

    • Lack of Safeguards: Essential privacy protections were missing in terms and conditions.

    • User Rights Impediment: The platform complicated membership withdrawal and account deletion processes, only offering these in English.

 

Administrative Sanctions

The PIPC levied the following sanctions:

    • Penalty Surcharge: 1.978 billion KRW for cross-border data transfer violations.

    • Administrative Fine: 7.8 million KRW for inadequate data protection safeguards.

    • Corrective Orders: Required compliance with data transfer and user rights regulations.

    • Recommendations: Improve transparency, designate a domestic agent, and minimize data collection.

 

Corrective Measures by AliExpress

In response, AliExpress took steps to address non-compliance:

    • Informed Consent: Obtained users’ consent for data transfers.

    • Domestic Agent: Improved procedures for handling personal data.

    • Privacy Policy Updates: Aligned policies with PIPA requirements.

 

You can read the press release here.

♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.

Scroll to Top