The Special Financial Information Act Is Not Enough... Exchanges Face Scrutiny Over Cross-Border Personal Data Transfers [Crypto Briefing]

[Financial News] The Personal Information Protection Commission's move to sanction Bithumb has brought the procedures for cross-border personal data transfers into sharp focus, especially in the process of linking virtual asset exchanges with overseas platforms and implementing the Travel Rule, an anti-money laundering measure that requires real-name verification for coin transfers.
According to the industry on the 29th, PIPC recently imposed a fine of 210 million won on Bithumb for violating rules on cross-border personal data transfers and approved a corrective order requiring the company to meet legal transfer requirements. Bithumb said it has already completed improvement measures in response to the authorities' position on the cross-border transfer of personal data involved in its order book sharing process, which was raised during last year's parliamentary audit.
The sanction is drawing attention because it is closely tied to the practical implementation of the Travel Rule at virtual asset exchanges. The Travel Rule is an anti-money laundering safeguard that requires the sender and recipient information to be verified and transmitted when virtual assets are transferred. In other words, when information is transferred to an overseas virtual asset exchange, companies must review not only their obligations under the Act on Reporting and Using Specified Financial Transaction Information, but also whether they need consent for cross-border transfers under the Personal Information Protection Act, whether third-party disclosure applies, and whether their privacy policy properly explains the processing. Under the anti-money laundering rules, personal data that may be provided includes names, wallet addresses, and, upon request, resident registration numbers, passport numbers, and foreign registration numbers. Depending on future regulatory decisions, additional procedures for third-party disclosure consent and cross-border transfer consent under the Personal Information Protection Act may be required.
An official from Company A said, "We need to closely review what information must be transmitted to comply with the Act on Reporting and Using Specified Financial Transaction Information, and whether any customer personal data is being transferred overseas to comply with the Personal Information Protection Act." The official added, "If personal data is transferred abroad, we must obtain separate consent and disclose it in our privacy policy."
An official from Company B also said, "The Travel Rule is an anti-money laundering obligation, while cross-border personal data transfer is a procedure related to the rights of data subjects, so both regulations can apply at the same time." The official added, "We will need to update not only contracts with overseas exchanges, liquidity providers, and Travel Rule solution firms, but also customer notices and consent procedures."
Even exchanges that do not share order books are reviewing the need to improve internal procedures related to Travel Rule data transmission. An official from Company C said, "If the obligation to provide information becomes more specific when virtual assets are transferred to overseas exchanges, we plan to improve our internal procedures for personal data as well as anti-money laundering compliance." The official added, "Even member numbers can be considered personal data if they are combined with other information, so we need to examine whether the data we provide qualifies as personal data when reviewing overseas linkage."
Along with the sanction, PIPC also released the "Blockchain Service Personal Information Protection Guidelines." The guidelines reflect privacy risks arising from the transparency, decentralization, and immutability of blockchain technology, and they propose measures for handling on-chain information disclosure and tracing, managing information sharing among participants, and deleting personal data.
The industry, however, said the applicability of the guidelines may vary depending on the service structure. It noted that implementation is more difficult in systems where there is no clear controlling entity, such as public chains, Decentralized Finance (DeFi), and Non-Fungible Token (NFT) services. An official from Company D said, "It is difficult to apply the rules to fully permissionless DeFi or NFT services because there is no controlling entity that can enforce how information is recorded." The official added, "In public chains, Decentralized Autonomous Organizations (DAOs), and structures where multiple validators and node operators are distributed, the scope of participants and their responsibilities are not clearly disclosed in advance, and there is no obvious central authority to exercise control."
Whether wallet addresses qualify as personal data is also a point of contention. Industry officials say the issue should be judged not by a single data item, but by the possibility of combining it with other information. An official from Company E explained, "A wallet address itself is close to anonymous, but once it is repeatedly used and linked even once to off-chain identity information, it can become a key to tracing future transactions." The official added, "When wallet addresses, transaction times, order IDs, and token IDs are combined with off-chain information, the likelihood of identifying a specific individual increases significantly."
elikim@fnnews.com Kim Mi-hee Reporter