 |
Photo courtesy of Yonhap News |
[Alpha Biz= Paul Lee] A key issue has emerged in Kakao Pay’s administrative lawsuit against the Personal Information Protection Commission (PIPC): whether customer personal data and Apple’s fraud-prevention index, the NSF score, can be considered identical information.
At the second hearing held by the Seoul Administrative Court’s 12th Division (Chief Judge Kang Jae-won), the court stated, “Personal data, the source information, consists of dozens of items, and the NSF score is derived from it. The key issue in this case is whether the source information and the derivative output can be regarded as the same.”
Since 2019, Kakao Pay has used Alipay’s system to prevent fraudulent transactions during Apple App Store purchases. The company transferred encrypted personal data of roughly 40 million Korean users to Alipay’s Singapore subsidiary, which then generated NSF scores—“payment risk indicators.” Apple used these scores to determine whether to approve transactions.
In January, the PIPC fined Kakao Pay 5.968 billion won (approx. $45 million), citing that the company failed to obtain customer consent when transferring personal data overseas. Apple and Alipay were also sanctioned. Kakao Pay filed a lawsuit in response.
Kakao Pay argues that personal data and NSF scores are entirely different. The company stated, “The transfer of encrypted data to Alipay was merely a delegated act to generate NSF scores, which were the only information actually shared with Apple. As Kakao Pay lacks the capability to calculate these scores, it lawfully entrusted the task to Alipay.”
The PIPC counters that the process constitutes third-party data provision. “Since Alipay acts as Apple’s trustee, Kakao Pay’s provision of data to Alipay is effectively provision to Apple,” the commission argued. It maintains that personal data and NSF scores should be treated as legally equivalent, holding Kakao Pay accountable for the overseas transfer.
Alphabiz Reporter Paul Lee(hoondork1977@alphabiz.co.kr)
