Image credit: do21c on Pixabay
The South Korean government has levied fines against Apple after it was found using illegally obtained data to predict when users couldn’t pay for App Store purchases — and Apple’s representatives aren’t in the mood to talk about it.
In January, Apple had been fined by the South Korean government for using data illegally obtained without users’ consent. The fines totaled 4.65 billion won, a sum that works out to be just under $3.2 million.
During the February 25 meeting with the Personal Information Protection Commission (PIPC), Apple representatives were asked which other countries used Apple’s NSF scores. According to The Korea Herald, the representatives responded by saying “It is hard to make a public statement because we have to confer with our client. We do not know exactly.”
Apple was asked if it had kept records so the incident could be investigated, and the Apple representatives answered, “Many of those related have left the company. We can’t track down (the related) emails.”
Commission members were unimpressed with the responses, and were quoted in the meeting minutes as saying, “We cannot but wonder if it is appropriate for the respondent to simply say, ‘we don’t have the data,’ or ‘this is all we can tell you.'”
The incident in question stemmed from data collected by Kakao Pay, a mobile payment and digital wallet service based in South Korea. The data was sent to Alipay, a Singapore-based mobile payment platform.
Data collection occurred between April and July 2018 and affected roughly 40 million users. According to PIPC, “less than 20% of users registered Kakao Pay with Apple as a payment method, but Kakao Pay sent the information of all users, including not only Apple users but also non-Apple users (e.g. Android users), to Alipay.”
That data was then used to create a Non Sufficient Funds score, or NSF score. The score was a customer-specific metric used to determine whether a user had enough money to cover when multiple small payments, such as repeat in-app purchases, are bundled into one bill.
KakaoPay customers were not being told that their data was being transferred overseas. This sort of data collection is a direct violation of South Korea’s Personal Information Protection Act (PIPA).
Additionally, Apple did not disclose that it had a trustee relationship with Alipay. PIPA required Apple to be transparent about the relationship, but it did not mention Alipay in its privacy policy.
Apple was fined 2.45 billion won (approx. $1.71 million)and told to destroy the NSF score calculation model. Apple was fined an additional 2.2 billion won (approx. $1.53 million) for failing to disclose that users’ information was obtained in the first place.
Kakao Pay was fined nearly 6 billion won (approx. $4.2 million) and told that it would need to align its data-sharing practices with rules outlined in PIPA.
Alipay was ordered to destroy the model it built with the illegally obtained data, but it is unclear whether the Singapore-based company has incurred any fines of its own.
