South Korea’s privacy watchdog has fined Bithumb 210 million won, or about $136, 000, after finding problems with overseas personal information transfers tied to order-book sharing and virtual asset transfers.
- Fine: 210 million won, about $136, 000
- Regulator: South Korea’s Personal Information Protection Commission
- Violation: Overseas personal information transfer rules
- Order: Correct the transfer process and update privacy disclosures
The Personal Information Protection Commission, or PIPC, said Bithumb moved user data abroad without meeting the legal requirements under South Korea’s Personal Information Protection Act. The problem was not just that data crossed a border. The transfers also did not fully line up with the consent and notice rules meant to protect users.
That matters because privacy law is not only about whether a company collects data. It also covers where that data goes, who gets it, and whether the user actually agreed to that exact path. Consent is supposed to mean something, not serve as decorative legal wallpaper.
According to the PIPC, the cross-border transfer of personal information is closely tied to the data subject’s right to self-determination. In plain English, people should know and control how their personal data is transferred. That becomes a lot more important when an exchange uses overseas systems, foreign counterparties, or cross-border trading infrastructure.
The commission’s corrective order requires Bithumb to fix its overseas transfer process and explain those transfers more clearly in its personal information processing policy. The PIPC also said it will continue to respond strictly to violations of the Personal Information Protection Act.
One detail that stands out is the operational context. The transfer issue came up during order-book sharing and virtual asset transfers. Order-book sharing is when exchanges share buy and sell orders so trades can match across platforms. That can improve liquidity and execution, but if personal information is being sent abroad as part of the setup, privacy rules come into play fast.
This is where a lot of crypto operators still get sloppy. They think in terms of market structure, liquidity, and execution. Regulators think in terms of consent, disclosure, and data flow. Both sides may be talking about the same system, but they are not speaking the same language.
The case also shows how crypto exchanges can run into trouble on more than one compliance front. AML and tax reporting usually grab the headlines, but privacy is now very much part of the fight. Exchanges may need to collect information for anti-money laundering checks, but that does not give them a blank check to reuse it, route it abroad, or hand it to another system without proper notice.
South Korea has been tightening scrutiny of crypto businesses for a while, and Bithumb has already felt that pressure. Earlier regulators fined the exchange 36.8 billion won for anti-money laundering-related violations. Taken together, the penalties show a blunt reality: Korean crypto firms are being treated less like scrappy internet startups and more like financial intermediaries that need to get the basics right.
That does not make the policy picture simple. Crypto firms are being pushed to satisfy AML obligations, while privacy law pushes in the opposite direction on some points: collect only what is needed, use it for defined purposes, and be honest about cross-border transfers. This is not a “privacy versus compliance” morality play. It is a governance problem, and weak systems will eventually get punched in the mouth by reality.
The PIPC has also released new guidelines for personal information protection in blockchain services. Those guidelines focus on issues like on-chain disclosures, tracking risks, participant data sharing, and personal information destruction. That last part is especially awkward for blockchain systems, which are famously good at storing data and notoriously bad at forgetting it.
That tension is one of the big unresolved issues in crypto: public, distributed systems can make verification easier, but they can also make privacy harder. If personal data is exposed on-chain or mishandled off-chain, the damage can be difficult to unwind. Privacy by design is not a slogan here. It is the difference between a system that works and one that eventually earns a regulator’s attention.
There is also a trust angle that exchanges keep underestimating. If users consent to one overseas recipient, but the actual transfer path or recipient does not match what was disclosed, that is not a harmless technicality. It is a consent problem. And in privacy law, sloppy consent is not a minor paperwork issue, it is the whole point.
For users, the lesson is straightforward. The same platforms that promise fast trading and global access are also handling sensitive data that can move across borders behind the scenes. Names, wallet addresses, transfer records, and other identifiers can all be part of exchange compliance flows. That is exactly why disclosure and consent matter.
For exchanges, the message is harsher. If your trading setup involves overseas systems, foreign service providers, or cross-border matching tools, privacy compliance needs to be built into the plumbing from the start. Bolting it on later, after the regulator shows up with a clipboard, is the expensive way to learn.
South Korea’s broader direction is hard to miss. The country is tightening crypto oversight on privacy, AML, and reporting at the same time. That may frustrate people who want regulation to just get out of the way, but a serious financial system does not run on vibes. If exchanges want the credibility that comes with being treated like real financial infrastructure, they also need to accept the obligations that come with it.
Key questions and takeaways
-
Why was Bithumb fined?
South Korea’s PIPC said Bithumb violated overseas personal information transfer rules by moving user data abroad without meeting the required consent and notice standards. -
Was this only an AML case?
No. The enforcement action is also about privacy, consent, and cross-border data handling, not just anti-money laundering compliance. -
What did the regulator order Bithumb to do?
The PIPC ordered Bithumb to correct its overseas transfer process and explain relevant transfers more clearly in its personal information processing policy. -
Why does order-book sharing matter?
Order-book sharing can improve liquidity by matching trades across platforms, but if personal data moves overseas as part of that process, privacy laws apply. -
What does this mean for other exchanges?
It is a warning that privacy regulators are watching cross-border data flows closely. Privacy policies, overseas recipients, and consent language matter just as much as AML controls. -
Why is blockchain privacy so hard?
Blockchain systems can be transparent, distributed, and difficult to erase, which makes personal data handling more sensitive than in many ordinary web services.
The bigger takeaway is simple: crypto compliance is no longer just about not laundering money. It is also about not casually exporting user data and hoping nobody notices. In South Korea, at least, that kind of nonsense is getting expensive.
Further reading
A few extra sources on South Korea’s tightening grip on crypto data, privacy, and exchange compliance.
