On June 25, the Korea Personal Information Protection Commission (PIPC) announced a fine of KRW 210 million on cryptocurrency exchange Bithumb for violating the cross-border personal information transfer provisions of the Personal Information Protection Act in two business scenarios: order book sharing and virtual asset transfers. The fine for the order book sharing violation was KRW 120 million, and for the virtual asset AML transfer violation was KRW 90 million.
Order Book Sharing Fine KRW 120 Million: Consent Targeted Stellar, Data Actually Sent to BingX
The PIPC's investigation originated from issues raised during the 2025 audit. The investigation found that from September to November 2025, Bithumb engaged in cross-border transmission of personal information while sharing Tether (USDT) market order books with overseas exchanges.
The specific violation: users were asked to give separate consent to transfer personal information to Stellar exchange, but the investigation results showed that member numbers and order information were actually transmitted to a system operated by another exchange (bingx.com), not the entity listed in the user consent form. The PIPC imposed a fine of KRW 120 million for this violation.
Virtual Asset AML Transfer Violation: Provided Personal Information to 13 Overseas Exchanges Without Obtaining Separate Consent
The investigation also found that while fulfilling anti-money laundering (AML) obligations, Bithumb provided the names, wallet addresses, and other details of senders and recipients to 13 overseas exchanges when users transferred virtual assets to overseas exchanges, but did not fully meet the legal requirements for cross-border transfers under the Personal Information Protection Act, including failing to obtain separate consent from data subjects. The PIPC imposed a fine of KRW 90 million for this violation.
The PIPC stated: "While we acknowledge the necessity of providing personal information to combat money laundering, the cross-border transfer of personal information is closely related to the data subject's right to self-determination, and therefore legal requirements and procedures must be strictly followed."
Personal Information Protection Commission Issues 'Blockchain Service Personal Information Protection Guidelines'
Based on this investigation, the PIPC developed the 'Blockchain Service Personal Information Protection Guidelines' targeting the characteristics of blockchain technology, covering protection measures for three technical characteristics: measures to prevent leakage and tracking of on-chain information due to transparency; measures to manage information sharing among participants due to decentralization; and measures to establish a compliance path for destruction of personal information due to immutability.
Frequently Asked Questions
What is the specific situation of Bithumb's order book sharing violation?
Between September and November 2025, when sharing USDT market order books, Bithumb required users to give separate consent for cross-border transfer to Stellar exchange, but the investigation found that member numbers and order information were actually transmitted to a system operated by bingx.com, inconsistent with the entity listed in the user consent form. The PIPC imposed a fine of KRW 120 million for this.
Can AML business purposes exempt compliance requirements for cross-border transfers under the Personal Information Protection Act?
According to this PIPC penalty, AML business purposes do not automatically exempt the legality requirements for cross-border transfers. The PIPC clearly stated that even when providing personal information to combat money laundering, the relevant legal requirements and procedures of the Personal Information Protection Act must still be strictly followed, including obtaining separate consent from data subjects.
What three types of technical characteristics do the 'Blockchain Service Personal Information Protection Guidelines' target for protection measures?
The guidelines target three major technical characteristics of blockchain: (1) Transparency – preventing leakage and tracking due to public on-chain information; (2) Decentralization – regulating information sharing mechanisms among participants; (3) Immutability – establishing a compliance path for destruction of personal information.
