South Korea's PIPC Cracks Down on Temu for Unlawful Cross-Border Data Transfer & Other Violations

Key Takeaways

• Heavy Penalties for Temu: Temu faces a KRW 1.369 billion penalty and KRW 17.6 million in fines for failing to comply with PIPA’s data transfer and processing requirements.
• Data Transparency Issues: The company failed to disclose cross-border data transfers and didn’t properly notify users about how their personal data was being handled.
• Corrective Measures: Temu has been ordered to revise its privacy policies, appoint a domestic agent, and ensure better oversight of third-party data processors.
• Ongoing Monitoring: The PIPC will continue to monitor Temu’s compliance efforts to protect Korean users’ personal data.
• Broader Implications: The PIPC is also stepping up efforts to help foreign businesses comply with South Korea’s strict data laws, offering guidance and releasing translated materials for easier compliance.

Deep Dive

The Personal Information Protection Commission (PIPC) has delivered a blow to Temu, the popular online marketplace platform, by sanctioning the company for serious violations related to cross-border data transfers and other mishandling of personal data. This action, taken after a thorough investigation, comes with financial penalties and several corrective orders aimed at restoring compliance with South Korea’s Personal Information Protection Act (PIPA).

Temu, which connects buyers and sellers while taking a commission from each sale, has been under the PIPC’s microscope since late 2024. The platform’s business model relies on multiple third-party companies across the globe (specifically in Korea, China, Singapore, and Japan) to handle and store personal data for shipping purposes. But here's where the trouble starts: Temu failed to disclose these data transfers to users in its privacy policy, as required by law. And it didn't stop there. The company didn’t make it easy for users to withdraw their data or memberships, instead creating a cumbersome seven-step process for users who wanted out.

But perhaps the most concerning violation? Temu didn’t designate a domestic agent in South Korea to oversee its data processing activities, a clear requirement under PIPA.

Unlawful Identity Verification

It gets worse. In an attempt to streamline its operations, Temu began recruiting Korean sellers to offer a 'local-to-local' service, allowing them to sell and ship products directly to South Korean buyers. To do so, Temu required sellers to provide sensitive personal data, including facial video footage and resident registration numbers (RRNs). The company collected and processed this information without any lawful basis. While Temu did destroy the data after the investigation began, the damage was already done. This represents another serious breach of data protection laws.

As a result of these violations, the PIPC has hit Temu with a $982,030.77 (KRW 1.369 billion) penalty. In addition to this substantial fine, Temu faces $12,624.90 (KRW 17.6 million) in fines for its failure to disclose cross-border data transfers and its failure to appoint a domestic agent. But the financial penalties are only part of the story.

Temu has been issued a set of corrective orders, which include:

• Transparency: Temu must now disclose all cross-border data transfers and data processing practices clearly in its privacy policy.
• Improved Oversight: The company is required to implement stronger management measures to ensure that its third-party processors comply with PIPA.
• Domestic Agent Appointment: The PIPC insists that Temu designate a domestic agent in South Korea to safeguard the personal data of its users.

What’s Next for Temu and the PIPC?

The PIPC isn’t letting up. It has vowed to continue monitoring Temu’s compliance and will keep a close eye on how the company implements these corrective measures. As the digital marketplace landscape continues to expand, particularly with foreign companies entering South Korea’s market, the PIPC is setting a clear precedent for how companies must respect the personal data of Korean citizens.

And Temu isn’t alone in facing scrutiny. The PIPC has already issued similar sanctions to other companies, such as Alibaba’s AliExpress, underscoring the seriousness of cross-border data transfer violations.

The PIPC has also released a Chinese-language version of its guidelines for foreign businesses, helping companies like Temu better understand the intricacies of South Korea’s data protection laws and ensuring compliance with PIPA.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.