Temu is facing a ₩1.37 billion ($982,420) fine in South Korea over its data transfers to other countries. The privacy law violations are due to failure to adhere to the terms of the Personal Information Protection Act (PIPA), the law of the land that saw significant amendments come into force in 2023 that put it roughly on par with the protections provided by the GDPR.
China’s retail sensation running into privacy law violations internationally
The Personal Information Protection Commission (PIPC)’s investigation into Temu began in April 2024 and additionally included AliExpress, which was already assessed a ₩1.98 billion fine in July 2024 for its own similar violations involving overseas data transfers. Temu would have been fined earlier, but experienced delays in submitting sales data necessary to calculate its penalty amount.
PIPC notes that Temu engaged in data transfers to Japan, Singapore and China without properly notifying users or disclosing this information in its privacy policy. PIPA also requires that contractors coming into contact with personal information must be trained on its handling and security and be overseen on an ongoing basis, something that the PIPC says Temu has not shown evidence of doing.
Temu also was hit with privacy law violations for failure to appoint a local representative for Korea, where it has somewhere around three million platform users. It additionally made the account removal process too difficult, requiring seven steps before user information would be deleted.
Another factor in the fine decision was a pilot program that Temu ran in February of this year, in which it collected photo ID scans and facial biometric video recordings from local Korean sellers looking to use the platform to offer their wares. Temu deleted the data during the investigation, but was in violation of regulations handling the collection of resident registration numbers and bans on overseas data transfers that include them.
Temu apparently did have some factors in its favor that may have lessened the fine total, however. PIPC noted that the company voluntarily made improvements to its privacy policy during the investigation and added transparency about its cross-border data transfers, appointed the required local representative for its Korean user base, made the account deletion process easier to deal with, and provided the names of contractors that might come into contact with personal data.
The shopping app will have more to do to rectify its privacy law violations, however. PIPC has ordered it to make further improvements to transparency about how it handles and transfers personal data, improve oversight of its contractors that might be involved in overseas data transfers, and show general improvement in its protection of user privacy rights.
Overseas data transfers have hampered Chinese shopping apps
China’s powerhouse shopping apps have thus far largely evaded the regulatory penalties that the big tech firms have been repeatedly hit with, despite obvious concerns about overseas data transfers to China (where the government has granted itself essentially free and warrantless access to anything stored there under its national security policy). This is the first substantial fine for Temu for privacy law violations; the app has been under investigation in the EU since mid-late 2024, but those probes have focused more on whether the sourcing of its products and sales practices are legal (something it has also faced scrutiny over in the US).
Tiktok seems to have taken most of the regulatory heat of the popular China-based apps, despite Temu and others now having massive overseas user bases. Temu now has a global user base of close to 300 million despite having only just launched in July 2022, and clothing-focused shopping rival Shein is thought to be closing in on 100 million. In both cases the apps focus on rock-bottom pricing achieved by shipping direct to consumers from manufacturers in China, but have also been accused of a variety of misdeeds ranging from paying influencers to make deceptive statements to allowing goods on the platform that are sourced from slave labor. There have also been substantial user complaints about quality, both of the products themselves and the practices of sellers on the platform.
The PIPC has become a very active regulatory agency since a set of updates to the law in recent years expanded the scope of privacy law violations in South Korea. Only weeks prior to the Temu fine, it issued a warning that AI sensation DeepSeek is also engaging in potentially illegal data transfers to China and made moves to restrict it on government devices. And in 2024 it issued a ₩21.6 billion (about $15.5 million) fine to Meta for improperly sharing private Facebook user data with advertisers.
While Temu has yet to see much trouble over privacy law violations outside of the EU and South Korea, several class action lawsuits have been filed in the US over its handling of personal data. The state of Montana banned the app from government devices in 2023 (along with a broad ban on ByteDance’s apps), and Senator Tom Cotton of Arkansas previously urged the Biden administration in 2024 to investigate and ban Temu due to privacy concerns and the labor practices of some of its sellers.
