South Korean cryptocurrency exchange Bithumb has been fined 210 million won (approximately $151,000) by the country’s data protection regulator for transferring users’ personal information to overseas exchanges without obtaining proper consent. The penalty, reported by local media outlet NoCut News, stems from an investigation by the Personal Information Protection Commission (PIPC).
Details of the Data Transfer Violation
According to the PIPC’s findings, the violation occurred between September and November of last year. During this period, Bithumb shared its Tether (USDT) market order book with an unidentified overseas exchange. The exchange had initially obtained user consent to transfer personal data to a platform it referred to as ‘Stellar Exchange.’ However, the investigation revealed that member numbers and order information were actually transmitted to a system operated by a different, unnamed exchange, constituting a breach of consent protocols.
Furthermore, the PIPC discovered that Bithumb had been providing the personal information of both senders and recipients—including names, wallet addresses, and dates of birth—to 13 overseas exchanges. This data sharing was ostensibly conducted for anti-money laundering (AML) purposes during the processing of user virtual asset transfers. The regulator deemed these transfers to have occurred without the explicit, informed consent of the users involved.
Regulatory Context and Implications
This fine comes amid a broader tightening of data privacy regulations in South Korea, a country with some of the world’s strictest personal information protection laws. The PIPC has been increasingly active in scrutinizing how technology and financial firms, including cryptocurrency exchanges, handle user data. The case against Bithumb serves as a clear signal that the regulator is closely monitoring cross-border data flows, a critical issue for global cryptocurrency platforms.
For users, this incident underscores the risks associated with sharing personal data on centralized exchanges, particularly when that data may be transferred across international borders for operational or compliance reasons. The lack of transparency about which entities ultimately receive user information is a central concern highlighted by this case.
Impact on the Crypto Industry
The fine, while relatively small compared to Bithumb’s trading volume, carries significant reputational consequences. It raises questions about the internal data governance practices of major exchanges. The industry now faces increased pressure to implement more robust consent mechanisms and to provide users with clear, auditable records of where their personal data is being sent and for what purpose. This case may also prompt other exchanges to proactively review their data-sharing agreements with international partners to avoid similar penalties.
Conclusion
The PIPC’s action against Bithumb is a landmark enforcement in the intersection of cryptocurrency operations and data privacy law. It demonstrates that even established exchanges are not immune to regulatory scrutiny and that user consent is a non-negotiable requirement, regardless of the technical or compliance justifications for data sharing. As global regulators continue to refine their approaches to crypto, this case will likely be referenced as a precedent for data protection in the digital asset space.
FAQs
Q1: What exactly did Bithumb do wrong?
Bithumb was fined for transferring user personal data to overseas exchanges without proper consent. Specifically, it shared order book data with a different exchange than the one users had consented to, and it provided personal information (names, wallet addresses, birth dates) to 13 overseas exchanges for AML purposes without explicit user permission.
Q2: How much was Bithumb fined and who imposed the penalty?
Bithumb was fined 210 million won, which is roughly $151,000 USD. The penalty was imposed by South Korea’s Personal Information Protection Commission (PIPC), the country’s primary data privacy regulator.
Q3: What should crypto users learn from this incident?
Users should be aware that their personal data on centralized exchanges may be shared with third parties, including overseas entities, often for compliance reasons like anti-money laundering. It is important to read privacy policies carefully and understand where data is being sent. This case also highlights the importance of regulators enforcing transparency and consent in the crypto industry.
coindesk.com
cointelegraph.com
crypto.news