Concerns Grow Over Global OTAs' Data Protection as Domestic Oversight Tightens
Creatrip Team
3 months ago
A series of recent data breaches at major Korean companies has sharpened scrutiny on how online travel agencies (OTAs) handle sensitive customer information like passports and payment details. Domestic OTAs are subject to Korean laws (e.g., Personal Information Protection Act) and tourism registration, so they face tighter inspections and stronger enforcement. Major global OTAs — such as Booking.com, Agoda, Hotels.com and Trip.com — often operate with overseas headquarters and servers, not registering as travel businesses in Korea. That creates enforcement gaps: Korean regulators can investigate and recommend measures but have limited power to compel foreign companies, leaving consumers with delayed refunds, voucher conversions, or customer-service access problems. Consumer complaints to the Korea Consumer Agency from 2019–July 2025 were highest against Agoda and Trip.com. Experts urge requiring foreign OTAs to register a Korean entity or place responsibility on local branches, and suggest tying participation in government tourism projects to compliance, so platforms handling cross-border personal data follow Korean oversight. (OTA: online travel agency; ISMS-P: Information Security Management System – Personal information)
