Fine Imposed on Bithumb for Data Transfer Violations
The Personal Information Protection Commission (PIPC) of South Korea has issued a fine of 210 million won (approximately $136,000) against cryptocurrency exchange Bithumb for failing to adhere to regulations governing the transfer of personal data outside the country. This decision was made during the commission’s meeting held on June 24, following the discovery that Bithumb had transferred personal information abroad during its practices of sharing order books and conducting virtual asset exchanges without obtaining proper consent as prescribed by the Personal Information Protection Act.
Background of the Investigation
The regulatory scrutiny was initially sparked by inquiries raised during a parliamentary audit in 2025, which specifically questioned Bithumb’s sharing of order book data with foreign exchanges. Order book sharing is a practice that allows exchanges to synchronize their buying and selling orders, facilitating trade matching across borders.
Findings of the Investigation
The investigation revealed that between September and November of 2025, Bithumb shared its Tether USDT market order book data with overseas entities. While users had consented to data transfer involving a specific exchange, Stellar, the commission found that their identification details and order data were sent to an unapproved platform, bingx.com. This incident underscores the risks associated with liquidity partnerships that inadvertently compromise user privacy when personal identifiers and order data cross international boundaries.
Concerns Over Data Privacy and Compliance
Additionally, the PIPC scrutinized Bithumb’s transfers of virtual assets to 13 different foreign exchanges, where sensitive information like sender and recipient names, wallet addresses, and even dates of birth were disclosed for anti-money laundering (AML) verification. Although the commission acknowledged that personal data might be necessary for AML compliance, it emphasized that cross-border data transfers must align with users’ rights to govern their personal information. The PIPC stressed the importance of adhering to established consent and notification protocols as mandated by law, asserting that such data transfers are vital to maintaining users’ autonomy over their information.
Regulatory Actions and Future Implications
The commission’s ruling mandates that Bithumb implement corrective measures regarding its overseas data transfer protocols and mandates transparency in its personal information processing policies. This fine adds further regulatory pressure on Bithumb, which had previously faced penalties totaling 36.8 billion won for various AML violations concerning customer verification, transaction monitoring, and dealings with foreign virtual asset service providers without appropriate registration.
In light of these developments, discussions around South Korea’s proposed changes to crypto AML regulations suggest that exchanges may soon be under greater scrutiny, particularly as new measures may require automatic flags for all overseas transactions exceeding 10 million won. South Korean authorities are actively pursuing enhanced oversight of international cryptocurrency operations, including a plan to share crypto transaction data with 48 nations as part of the OECD Crypto-Asset Reporting Framework.
Conclusion
The current case against Bithumb emphasizes the need for crypto exchanges to balance AML compliance with data privacy obligations. Alongside the penalty, the PIPC has also introduced new guidelines aimed at safeguarding personal information within blockchain environments, citing the unique privacy challenges posed by the transparent and decentralized nature of blockchain transactions. These regulations call for better management of data disclosures, risk tracking, data sharing among participants, and the safeguarding of personal information.
As the PIPC continues to strictly enforce the Personal Information Protection Act, Bithumb’s recent fine, although lower than its previous AML penalty, highlights a significant challenge within South Korea’s cryptocurrency arena. Exchanges now find themselves navigating a complex landscape of regulatory compliance focused on customer consent and data protection alongside traditional concerns like money laundering risk.
