South Korea Orders Starbucks & Elevate to Fix Data Practices as Namuwiki Faces Criminal Complaint

Key Takeaways

• Corrective Actions Ordered: South Korea’s Personal Information Protection Commission (PIPC) issued correction orders to Starbucks and Elevate over violations linked to the Ethical Sourcing Program.
• Oversight Failures: Regulators say Starbucks did not put proper agreements in place or adequately supervise Elevate’s handling of workers’ personal data.
• Excessive Data Collection: Elevate reportedly transmitted unnecessary HR files, wage information, and timesheet logs from Korean outsourcing partners.
• Criminal Complaint Filed: The operator of Namuwiki, umanle, is now facing criminal investigation for refusing multiple lawful requests for information.
• Compliance Monitoring Ahead: The PIPC will continue tracking Starbucks and Elevate, warning that further sanctions could follow if issues aren’t resolved.

Deep Dive

South Korea’s data protection watchdog says Starbucks and its third-party auditor mishandled workers’ personal data and now both companies are being ordered to fix it. The Personal Information Protection Commission (PIPC) resolved to issue correction orders and compliance recommendations to Starbucks Corporation and Elevate Hong Kong Holdings Limited, following a probe into how the two handled personal information linked to Starbucks’ Ethical Sourcing Program in Korea.

In a separate enforcement action, the commission has referred umanle, operator of the popular community-driven platform Namuwiki, to criminal investigators after the company repeatedly refused to provide information the PIPC says it legally requested.

Ethical Sourcing and Excessive Data

The PIPC’s scrutiny of Starbucks traces back to February 2023, when Korean media reported allegations that outsourcing partners were being asked for personal information well beyond what was necessary. That triggered a wider inquiry into the Ethical Sourcing Program, which is meant to ensure suppliers meet standards on working hours, wages, health and safety, and environmental practices.

To assess compliance, Starbucks relies on Elevate, a third-party organization responsible for examining outsourcing firms and reviewing their performance against Starbucks’ criteria. But regulators say the safeguards around that arrangement were far too lax.

Starbucks failed to execute a proper data-processing agreement that met legal requirements under the Personal Information Protection Act, a core component of risk mitigation whenever personal data is shared with a service provider. And once Elevate stepped in, the issues escalated. According to the commission, the company collected and transmitted excessive personal information about Korean workers, including HR files, wage data, and detailed timesheets.

The result is that both companies now face correction orders—Starbucks for insufficient oversight of its data processor, and Elevate for processing personal data without appropriate legal justification under PIPA. The commission says it will track their compliance closely and could escalate sanctions if improvements don’t materialize.

While the PIPC confirmed that SCK Company was not directly involved in the violations, it recommended the company provide guidance on privacy compliance to Starbucks, Elevate, and the suppliers subject to evaluation.

Wiki Operator Draws a Firmer Response

Namuwiki, meanwhile, faces a harsher consequence. The PIPC says it made multiple requests for information under Article 63(1) of the PIPA and received refusal each time. Namuwiki reportedly argued that Korea’s privacy law doesn’t apply to the company because it is headquartered in Paraguay.

Regulators didn’t buy it. Following continued non-cooperation, the PIPC has now filed a complaint with the relevant investigative authorities, turning the privacy dispute into a criminal case.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.