South Korean authorities have imposed a significant penalty of 210 million Korean won (approximately $136,000) on the cryptocurrency exchange Bithumb. This action stems from violations related to the sharing of user personal information with overseas platforms without obtaining proper consent, and for failing to secure adequate consent for cross-border data transfers. The Personal Information Protection Commission (PIPC) detailed that these breaches occurred during the period of September to November 2025, when Bithumb shared its Tether USDT market order books. While Bithumb indicated user consent was obtained for transfers to the Stellar exchange, the PIPC found that the data was actually disseminated to a platform operated by BingX.
Key Takeaways
- Bithumb has been fined 210 million KRW ($136,000) by South Korea’s PIPC for privacy violations.
- The exchange shared user personal information with overseas platforms, including BingX, without explicit consent.
- Bithumb also failed to obtain full consent for sharing user names, wallet addresses, and dates of birth with 13 foreign exchanges.
- The PIPC stressed the critical importance of user data self-determination rights and stringent compliance with data protection laws.
- New guidelines for blockchain firms have been issued, advising against recording identifiable information on-chain.
Further scrutiny revealed that Bithumb did not secure comprehensive user consent when facilitating transfers of identifying data, such as names, wallet addresses, and dates of birth, with a total of 13 international exchanges. In response to these two distinct violations, the PIPC has mandated Bithumb to revise its protocols for transmitting user information across borders, in addition to the financial penalty.
The PIPC determined that the cross-border transfer of personal information is a matter closely related to the data subject’s right to self-determination, and therefore requires meticulous compliance with the requirements and procedures stipulated in the Personal Information Protection Act.
The regulatory body also released new information protection guidelines specifically designed for blockchain companies. These guidelines acknowledge the unique characteristics of blockchain technology, such as its transparent, distributed, and immutable nature. A key stipulation within these new guidelines is the prohibition of recording personally identifiable information, including names and social security numbers, directly on the blockchain. This move underscores a global trend towards stricter data privacy enforcement within the digital asset industry, reflecting concerns about user protection and data sovereignty.
Regulatory Precedent and Legal Stakes
This enforcement action against Bithumb carries notable implications for the broader cryptocurrency industry, particularly concerning cross-border data flows and user privacy. The PIPC’s firm stance emphasizes that regulatory compliance is not merely a procedural formality but a fundamental aspect of safeguarding individual rights within the digital economy. The penalty and mandated protocol revisions highlight the legal stakes for exchanges operating internationally: failure to adhere to robust data protection standards, as exemplified by South Korea’s Personal Information Protection Act, can result in substantial financial penalties and operational restrictions.
The PIPC’s explicit reference to the “data subject’s right to self-determination” in relation to cross-border data transfers sets a clear benchmark for how such activities will be evaluated. This principle, central to many global privacy frameworks like GDPR, suggests that exchanges must demonstrate explicit, informed consent for any transfer of personal data outside of their primary jurisdiction. The ruling could influence how other jurisdictions interpret and enforce similar data protection laws within the crypto space. For instance, if other countries adopt similar stringent interpretations, exchanges may need to overhaul their consent mechanisms and data handling practices globally to avoid similar penalties.
Furthermore, the issuance of tailored guidelines for blockchain firms signifies a proactive regulatory approach. By advising against on-chain storage of personally identifiable information, regulators are signaling a desire to integrate privacy-preserving practices directly into the operational fabric of blockchain-based services. This could set a precedent for future regulatory interventions, encouraging the development and adoption of privacy-enhancing technologies and discouraging practices that could lead to irreversible data exposure. The legal framework is evolving to accommodate the unique challenges posed by decentralized technologies, placing a greater onus on companies to prioritize user privacy and legal compliance.
Original article : www.theblock.co