Data Protection & Cybersecurity 2019 Comparisons

Last Updated March 28, 2019

Contributed By Lee & Ko

Law and Practice

Authors



Lee & Ko parallels in many ways the solid economic development of the country in its evolution as the premier law firm in Korea, over the more than 40 years following its founding in 1977. The firm is one of the top law firms in Korea that is recognised for expertise in all major practice areas, which includes over 30 specialised practice groups, and that is consistently acclaimed over the years as one of the leading firms in Asia by internationally respected legal publications and league tables. Also, Lee & Ko has a global client base that includes domestic conglomerates to multinational corporations in many different industries. We have an unrivalled list of leading clients from the US, EU, China, Japan and more, as well as high-profile start-up high-tech companies. Our global reach is a result of our Korean-licensed lawyers with outstanding foreign language capabilities working together with our experienced foreign-licensed lawyers. Lee & Ko’s Data Protection/Privacy (DPP) Practice Group provides professional legal services, including an advisory service on a wide range of cases involving (inter alia) ever-increasing security breaches and hacking incidents, as well as representation of clients in litigations and regulator’s investigations. The entire DPP Practice Group is comprised of more than 20 legal professionals with extensive experience of handling IT compliance projects and pertinent know-how, allowing us to offer high-quality advice fitted to the needs of our clients.

Under the Constitution of Korea, the right to privacy, privacy of communications, and the freedom of expression are recognised as fundamental rights. In addition, the Constitutional Court of Korea has established that the right to control one’s personal data should be viewed as a separate fundamental right.

The main laws and regulations related to data protection and cybersecurity are the Personal Information Protection Act (“PIPA”)  and its implementing Rregulations, which regulate the collection, usage, disclosure and other processing (collectively, ‘processing or process’) of personal data by governmental and private entities. In addition to the PIPA, there are sector-specific laws that also regulate the data protection. The processing of personal data by online service-providers, including telecommunication service-providers, is regulated by the Act on Promotion of Information Communication Network Usage and Information Protection (‘“Network Act’”), and the processing of (personal) credit information by financial institutions is regulated by the Act on Usage and Protection of Credit Information (‘“Credit Information Act’”). For the processing of personal data by online service-providers and the processing of credit information by financial institutions, the Network Act and the Credit Information Act will each be applied, respectively, ahead of the PIPA.  However, for matters on which the Network Act and Credit Information Act are silent, the PIPA may still apply.

Regulators may impose various administrative sanctions such as corrective orders, administrative fines, and penalty surcharges for violations of data protection and cyber-security laws and regulations. Additionally, public prosecutors may investigate any violations that are also subject to criminal punishment and, in certain cases, impose penalties upon both companies and individuals if the relevant provisions provide for vicarious liability.

Various regulators are involved in enforcing Korean data protection laws. First, the regulatory authority responsible for enforcing PIPA is the Ministry of Interior and Safety (“MOIS”). The MOIS is one of the ministries of Korea’s administrative department. The regulatory authority responsible for enforcing the Network Act is the Korea Communications Commission (“KCC”). The KCC is composed of five commissioners and their supporting staff organisation, and the commissioners are nominated by the president. Meanwhile, the Financial Services Commission (“FSC”) enforces the Credit Information Act and issues formal interpretations thereon.

Also, the Personal Information Protection Commission (“PIPC”) shapes data protection policies while assessing the enactment and/amendment of laws and administrative measures relating to the protection of personal data, and the Korea Internet and Security Agency (“KISA”) performs tasks delegated to it by the MOIS, KCC and PIPC.

When privacy and cyber-security law violations occur or complaints are registered regarding such violations, the pertinent regulator may get involved, depending on which sectoral laws are implicated.  Regulators also occasionally conduct surveys to establish if certain industries and industry players are in compliance with applicable privacy and cyber-security laws.

Under the PIPA, the MOIS is allowed to impose administrative sanctions such as penalty surcharges, administrative fines, and corrective orders on data handlers, and if they are found to be in violation of a law, or the MOIS receives a complaint of such a violation, it may request the data handler to submit relevant materials regarding the violation.

The imposition of the administrative sanction must be done properly in accordance with the Administrative Procedures Act, and the data handler subject to the administrative sanction may object to the administrative sanction by filing an administrative lawsuit or administrative appeal.

South Korea is a member of APEC. In its press release issued on 27 December 27, 2017, KISA announced that it had filed an application with APEC to be recognised as an accountability agent of the Cross-Border Privacy Rules (“CBPR”) system. KISA is expected to promote the CBPR system to Korean businesses in 2018 and make preparations for establishing a detailed system of implementing the CBPR, and officially start operating the CBPR system in 2019. 

Under the PIPA, the PIPC and MOIS are obliged to promote self-regulation. In this regard, a personal data self-regulation programme has been established in order to promote self-regulation in the data protection sector. If an association comprised of companies within a specific industry meets certain requirements, the MOIS will designate such association as a self-regulatory industry group so that it may establish data protection standards suited to its specific industry and require member companies to comply with these standards.

Although this programme is still in the early stages of implementation, the MOIS appears to be advocating self-regulation by designating additional data protection self-regulation organisations and by displaying its commitment to promulgating relevant regulations in support thereof. As of 2018, a total of 14 associations (including the Korean Hospital Association, Korea Association of Realtors and, Korea Association of Travel Agents) were designated as self-regulatory industry groups.

In general, NGOs are engaged in various activities such as reporting data breaches to the regulatory authorities, requesting a criminal investigations into such data breaches, and filing public interest lawsuits against responsible data handlers. 

Overall, Korean data protection laws are some of the most stringent in the world, and the enforcement of the Regulations is also relatively aggressive. In principle, the processing of personal data by governmental and private entities is contingent on the explicit opt-in consent of the data subject to ensure the data subject’s right to informational self-determination.

From from 19 March 2019, when recent amendments to the Network Act take effect, information and communications service providers (“ICSPs”) without a place of business in Korea that, nevertheless, meet certain criteria regarding the number of users and sales revenue, will be required to designate a Korean representative (ie, a corporation or individual that has an address or place of business in Korea) in writing to handle tasks related to the processing of personal information, and include information regarding the designation of such Korean representative in their privacy policy (Amended Network Act, Articles 32-5). In addition, the amendments provide that anyone who receives personal information from an ICSP subject to the Network Act will be:

  • prohibited from entering into a data processing agreement that violates the Network Act;
  • required to obtain consent from the data subject for the onward transfer of his or her personal information to a third country after it is initially transferred from Korea; and
  • required to implement certain mandatory safeguards in order to protect the personal information that is being re-transferred to a third country (Amended Network Act, Article 63(5)).

Meanwhile, multiple lawsuits related to the massive data breach that occurred at three major Korean credit card companies in 2014 are being litigated in Korean courts, and a final decision was rendered by the Supreme Court on 27 December 2018 for several of the lawsuits, ordering the credit card companies to provide KRW 100,000 (approximately USD88) in compensation to each affected data subject. As this incident represented the largest-ever data breach that occurred in Korea, the foregoing Supreme Court decision is expected to influence both current and future court cases widely when determining damages related to the leakage of personal information. Statutory and punitive damages were not available at the time of the data breach regarding the above-mentioned Supreme Court decision because the data breach pre-dated the effective date of the statutory and punitive damages provisions mentioned in 6.1 Key Laws and Regulators below.

With the advent of the Fourth Industrial Revolution, it has become essential to utilise Big Data in order to facilitate the development of artificial intelligence and other emerging technologies. However, the lack of a legal framework to support the development of Big Data industries and technologies has been widely criticised as being a source of uncertainty and an obstacle to future growth. As a result, active discussions involving various experts from the private, public, and academic sectors are underway to canvass opinion on the need to reform laws and systems to support the Big Data industry. In particular, Korea’s Presidential Committee on the Fourth Industrial Revolution hosted two regulatory and institutional reform hackathons in February and April of 2018. Through these events, general consensus was reached regarding the need to achieve balance between the protection of personal information and its utilisation through the introduction of concepts such as pseudonymised data and the combination of data sets. Thereafter, several bills reflecting this consensus and proposing to amend the main Korean data protection laws such as the PIPA, the Network Act, and the Credit Information Act were introduced in the National Assembly and are currently undergoing review. Consequently, companies are advised to continue monitoring related legislative developments as the bills are expected to bring about wide-sweeping changes across Korea’s data industry if adopted.

In addition, the PIPA’s amendment bill of PIPA and the Network Act above also propose to transfer enforcement authority for matters related to the protection of personal information to the Personal Information Protection Committee (from the current MOIS and KCC).

Lastly, efforts are underway in the finance sector to introduce the right of portability to promote the development of so-called ‘My Data’ industries. Specifically, financial regulators are seeking to permit the establishment of self-credit information management businesses and, to this end, plan to introduce a bill amending the Credit Information Act in the second half of 2019.

As explained above in the Introduction section, data privacy is fundamentally governed by the PIPA. The Network Act may also apply where data privacy on online or mobile platforms is concerned. Below, we explain the key provisions of the PIPA and the Network Act.

Under the PIPA, all data handlers are required to appoint a data protection officer (“DPO”).  The DPO is responsible for overseeing all matters related to the processing of personal data, including compliance with the relevant laws, protection of personal data, and protection of a data subject’s rights.

Under the Network Act, online service-providers are also required to appoint a DPO subject to certain exemptions (eg, an online shopping service-provider with fewer than five full-time employees).

In the absence of consent of data subjects, data handlers are permitted to collect personal information in the following cases:

  • if the collection is specifically required or permissible under other applicable laws and regulations, or necessary to comply with the data handler’s obligations under other applicable laws and regulations;
  • if collection by a public institution is unavoidable to perform its legally mandated duties and responsibilities;
  • if the collection is necessary for the execution and performance of a contract with the data subject;
  • if there exists a clear and urgent need to protect the life, physical or economic interest of the data subject or a third party, and consent for the collection of personal information cannot be obtained in an ordinary manner because the data subject (or his or her legal guardian) cannot express his or her intent, or his or her address is unknown; or
  • if the collection is necessary to achieve a legitimate interest of the data handler where such interest clearly overrides the rights of the data subject,; provided that collection will be substantially relevant to the legitimate interest of the data handler, and that such collection is only performed to a reasonable extent.

In the absence of consent of data subjects, data handlers are permitted to provide personal information they have collected to third parties in the following cases:

  • if the provision is specifically required or permissible under other applicable laws and regulations, or necessary to comply with the data handler’s obligations under other applicable laws and regulations;
  • if provision by a public institution is unavoidable to perform its legally mandated duties and responsibilities; or
  • if there exists a clear and urgent need to protect the life, physical or economic interest of the data subject or a third party, and consent for the provision of personal information cannot be obtained in an ordinary manner because the data subject (or his or her legal guardian) cannot express his or her intent, or his or her address is unknown.;

It should be noted, however, that exceptions to the consent requirement are recognised more narrowly under sector- specific laws such as the Network Act and Credit Information Act and thus, attention should be paid accordingly.

Unlike the GDPR, Korea’s data protection and privacy laws do not specify the requirements that will trigger the application of a ‘privacy by design’ or ‘by default’ concept. However, the PIPA, the Network Act, and their respective implementing Rregulations set forth detailed standards on the technical and managerial measures to be taken with respect to personal data processing systems and network security. When designing their personal data protection measures, data handlers should take such standards into consideration. Recently, there has been more discussion in Korea regarding the need for introducing the ‘privacy by design' or ‘by default’ concept so that companies may establish a comprehensive information management process covering the lifecycle of a product or /service.

Private companies are not legally required to conduct privacy impact analyses.  Under the PIPA, only public institutions managing personal data files that meet certain criteria must conduct privacy impact analysis if there is a concern that a data subject’s privacy may be infringed upon due to the management of the personal data file.

Data handlers are required to disclose their privacy policies, usually through their website. The privacy policy shall include information on:

  • the items of personal data to be processed;
  • the purpose of processing the personal data;
  • matters concerning the transfer or outsourcing of personal data to third parties;
  • the period of retention and use of personal data;
  • matters related to the destruction of stored personal data;
  • the rights of data subjects or users and the process of exercising such rights; and
  • information regarding protection measures.

Under the PIPA, a data subject has the following rights.

Right of access to data:

A data subject has the right to request access to his or her personal data that is being processed by the data handler. In principle, the data handler must allow the data subject to access his or her personal data within ten days of receiving such a request.

Right to rectification of errors and deletion

A data subject who accesses his or her personal data has the right to request rectification or deletion of his or her personal data. The data handler must rectify or delete the personal data immediately upon receiving such a request and notify the data subject of the results.

Right to object to processing

A data subject has the right to request suspension of the processing of his or her personal data. Unless there are grounds for refusing such a request, the data handler must suspend the partial or entire processing of the data subject’s personal data without delay.

Currently, apart from regulatory guidelines issued by the Korean government, there is no legal framework to regulate the de-identification of personal information, which has resulted in widespread criticism regarding the lack of legal grounds for enforcing the various requirements set forth in the regulatory guidelines. Through the aforementioned regulatory and institutional reform hackathons hosted by the presidential committee on the fourth industrial revolution, agreement was reached on the purpose and scope of pseudonymised data, and to enact laws to formally regulate the de-identification of personal information. To this end, a bill has been introduced in the National Assembly to enact relevant legislation.

There is no specific law or regulation in Korea that regulates profiling, automated decision-making, online monitoring or tracking, Big Data analysis or, artificial intelligence.

The concept of ‘injury’ or ‘harm’ is not defined under the relevant laws. However, under the PIPA, a data subject who suffers injury as a result of the data handler’s violation of an applicable law may request compensation of the injury from the data handler. Details regarding private litigation are explained below.

Sensitive information is defined as personal data regarding an individual’s ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal data that may cause a material breach of privacy (genetic information and criminal records are listed as other sensitive information in the Presidential Decree of the PIPA).

To process sensitive data, the data handler must obtain the data subject’s express consent, separate from the consent to the processing of other personal data.

The processing of financial data is regulated mainly by the Credit Information Act.

‘Credit information’ means the following information prescribed by Presidential Decree, which is necessary to determine the creditworthiness of the other party to financial transactions and other commercial transactions. This includes:

  • information by which a particular owner of credit information can be identified;
  • information by which the transaction details of an owner of credit information can be determined;
  • information by which the creditworthiness of an owner of credit information can be determined;
  • information by which the credit transaction ability of an owner of credit information can be determined; and
  • other similar information.

‘Personal credit information’ means credit information that (i) is necessary to determine the credit rating and credit transaction ability of an individual, and (ii) relates to a living natural person from which the individual can be identified through their name, resident registration number, and so on (including any information from which, if not by itself, but easily combined with any other information, a specific individual is identifiable).

The Credit Information Act contains provisions on the licensing/regulation of credit information businesses such as credit inquiry companies and credit investigation companies, the collection/investigation/processing of credit information, and protection of credit information subjects.

There are no individual laws regarding the protection of health data and medical data. Health data and medical data qualify as sensitive information under the PIPA, and are thus protected under the general data protection and privacy laws. Where individual laws such as the Medical Service Act stipulate rules on the processing and protection of health data, these said laws will apply. Medical institutions may collect and use medical records and personal data of a patient without his or her consent if the collection and use is for medical treatment purposes (Medical Service Act, Article 22). Clinical trial data may only be processed to the extent that informed written consent is obtained from the patient (ie, trial subject).

For your information, the Ministry of Health and Welfare (“MOHW”) and the MOIS have prepared guidelines for medical institutions on the standards for processing patients’ personal data and other measures related to the protection of personal data.

If voice data (eg, recorded voice calls) may be used to identify an individual, it will be considered personal data and subject to certain processing restrictions under the relevant laws. Meanwhile, wiretapping/intercepting the contents of an on-going voice call may be viewed as a violation of the Communications Privacy Protection Act (“CPPA”).

There are no separate laws or regulations on the processing of text messages.  However, the monitoring/interception of text messages that are being transmitted may be considered a violation of the CPPA. 

The CPPA makes it a criminal offence for any party to acquire or record the contents of any “transmission or reception of all kinds of sounds, words, symbols or images by wire, wireless, fibre cable or other electromagnetic system, including telephone and e-mail,” except with the consent of the party concerned.

Under the Network Act, online service-providers are required to disclose their privacy policies, usually through their website. Information that must be included in the privacy policy is as described above. 

There is no law or regulation that regulates cookies, beacons, or tracking technology in particular. However, behavioural data that may be used in conjunction with the foregoing technologies may constitute personal information if it can be easily combined with other user information to identify specific individuals. In such cases, the processing of behavioural data will be subject to various requirements under Korean data protection laws applying to the processing of personal information.

There are no separate laws or regulations on tracking technology. However, if cookies qualify as personal data, the processing of cookies must be done in accordance with the Network Act and PIPA.

The KCC announced the Guidelines on Privacy and Online Behavioural Advertising  in February of 2017. Although the guidelines do not state that the prior consent of users should be obtained in order to conduct targeted advertising to them, companies engaging in such advertising must, nevertheless, provide notice of the items of behavioural data that will be collected, the methods of collection, the purposes of collection, periods of retention and use, methods through which users may exercise control authority, and methods for providing redress to users who suffer damages. Users will be able to control their exposure to targeted advertisements appearing through web browsers and smartphone applications by using the methods that have been notified. In addition, if any personal information is collected in the course of conducting targeted advertising, then the consent of users for the processing of such personal information may be required pursuant to Korean data protection laws.

The Network Act requires “matters concerning the installation, operation, and denial of a device that automatically collects personal data, such as an Internet access information files” to be specified in a privacy policy.

If video and television data can be used to identify an individual and thus qualifies as personal data under the PIPA, the processing of this data will be subject to the PIPA. The PIPA also regulates video data-processing devices such as CCTV that is installed in public places. In principle, video data-processing devices may not be installed in public places, unless in special circumstances where the installation is specially permitted by a law or regulation. In all cases, a notice sign that includes legally mandated information must be placed next to where a CCTV is installed.

Also, it may be helpful to keep an eye out for the “Draft Act on the Protection of Personal Video Information,” which has currently been introduced to the National Assembly.

Social media, search engines and, large online platforms are all information and communications services subject to the Network Act and value-added telecommunications services subject to the Telecommunications Business Act (“TBA”).

Under the PIPA, a data subject is entitled to request a data handler to delete his or her personal data. Also, under the Network Act, if information that was provided via an information and communications network for the purpose of being disclosed to the public ends up infringing upon another person’s privacy or damages his or her reputation, the person who was affected in such an adverse manner may request the ICSP to delete such information by explaining how his or her rights were infringed upon.

The Network Act prevents the distribution of illegal information such as obscene materials, defamatory information, media contents harmful to juveniles, and information relating to speculative acts that are prohibited by law via information and communication networks. 

There are no separate laws or regulations on data portability.

In light of the increasing social influence of large-scale web portals as media distributors, several bills have been introduced to the National Assembly calling for tougher regulation of web portals. The bills propose regulations on the arrangement of articles on the web portals’ websites, prevention of manipulating search results, submission of accounting data for each service to the government, blocking the distribution of illegal information, and imposition of a monitoring obligation.

If data handlers and online service-providers seek to process the personal data of children under the age of 14, they are required to obtain the consent of the children’s legal guardians. The minimum amount of personal data that is necessary to obtain the legal guardian’s consent in the first place may be collected from the child without the legal guardian’s consent. In addition, such legal guardians are authorised to exercise the children’s rights under the PIPA and the Network Act.

Educational or school data is regulated not only by the PIPA, but also the Education Framework Act, Elementary and Secondary Education Act, and the Rules on the Operation of the Infant Education Information System and Education Information System.

A student’s personal data, school records, and physical check-up records must not be provided to a third party without the consent of the student (if he or she is underage, the consent of the legal guardian or the student) unless allowed under an applicable law.

Legal guardians (eg, parents) have the right to view student information (eg, school records) of the person that is in their care, and may also view computerised data of such person by accessing the educational administration information system.

Information related to an individual’s ideology, faith, labour union membership, political views, affiliations with a political party, health or medical treatment information, sexual orientation and the like constitute sensitive data under the PIPA. 

Additional consent for the processing of sensitive data, apart from the consent for the processing (eg, collection and use, provision to third parties) of regular personal information, must be obtained separately in order to process sensitive data.

Under the Network Act, the recipient’s express prior consent is required for the transmission of commercial advertising information through electronic means (eg, mobile phone, email, etc). This consent must be obtained in addition to the consent for the collection and use of personal data for marketing purposes.

Privacy in the workplace will be governed by the PIPA.

The MOIS and KCC may request data handlers to submit explanatory material in response to alleged violations of the PIPA and Network Act, respectively, and may jointly inspect data protection compliance levels of data handlers in conjunction with the relevant central government agency in order to prevent and effectively respond to security incidents involving the leakage of personal data. The MOIS and KCC may also impose administrative sanctions in the form of corrective orders, administrative fines, penalty surcharges, etc upon finding any violations of the PIPA and Network Act, respectively.

Under the Criminal Procedure Act, search and seizures must be, in principal, conducted pursuant to a court-issued warrant. However, data handlers may be required to submit information relevant to investigations being conducted by government authorities pursuant to applicable laws such as the TBA (communication records), Monopoly Regulation and Fair Trade Act (business records and products of companies), and the Act on Reporting and Using Specified Financial Transaction Information (“ARUSFTI”) (specified financial transaction information).

For your reference, in a recent Supreme Court decision involving whether an internet portal operator’s provision of communication records pursuant to the TBA upon the request of investigative authorities infringed upon the privacy rights of data subjects, the Supreme Court held that, in the absence of special circumstances, the internet portal operator should not be liable to data subjects for any damages suffered if their communication records were provided in response to a lawful request made by investigative authorities in connection with an investigation.

As discussed above, search and seizures must be, in principle, conducted pursuant to a court-issued warrant. However, if a specific law or regulation is applicable, government authorities may request information relevant to investigations without obtaining independent judicial approval. 

As discussed above, search and seizures must be, in principle, conducted pursuant to a court issued warrant. In addition, government authorities may be subject to certain limitations when requesting information relevant to investigations in order to prevent the unnecessary collection of personal data in cases where a specific law or regulation may be applicable. For instance, requests for specified financial transaction information under the ARUSFTI must be approved by a special committee under the Korea Financial Intelligence Unit. 

The main statute applicable in such cases is the Act on Anti-Terrorism for the Protection of Citizens and Public Security (‘“Anti-Terrorism Act’”).

The National Intelligence Service (“NIS”) may collect entry/departure data, financial transaction data, and communication records of terrorism suspects and may also request data handlers to submit personal data and location information of terrorism suspects pursuant to the Anti-Terrorism Act. The NIS is also permitted to conduct surveillance of terrorism suspects in order to collect information necessary for anti-terrorism operations.

In general, the CPPA requires a wire-tapping warrant issued by a court in order to collect communication records. Requests for specified financial transaction information under the ARUSFTI must be approved by a special committee.

Data collection and surveillance activities pursuant to the Anti-Terrorism Act may only be conducted on ‘terrorism suspects,’ meaning ‘a member of a terrorist group (as designated by the UN), or a person who has propagated a terrorist group, raised, or contributed funds for terrorism, or engaged in other activities of preparing, conspiring, propagandising, or instigating terrorism, or where there are reasonable grounds to suspect that a person has performed such activities.’ In addition, the counterterrorism centre has been established under the prime minister’s office to monitor abuses of authority by the NIS and a counterterrorism human rights protection officer has been assigned to the national counterterrorism commission. 

In general, when the NIS seeks to collect communication records or specified financial transaction information, a warrant issued under the CPPA or approval by a special committee under the ARUSFTI is required.

Personal data may be transferred to a foreign government or international organisation without the consent of data subjects in cases where such transfer is necessary for the performance of an international treaty or convention. Otherwise, the transfer of personal data to a foreign government is not permitted without the consent of the data subject. 

As discussed above, the Supreme Court has held that an internet portal operator should not be held liable to data subjects for any damages suffered if their personal data was provided to the investigative authorities in accordance with the law. Following this decision, public debate has taken place as to whether the government has been granted excessive access to the personal data of citizens, leading to increased discourse on the need to amend individual laws and regulations so that a court issued warrant is necessary for the collection of personal data by government authorities.

On a separate note, the Anti-Terrorism Act entered into effect in March of 2016, nearly fifteen (15) years after it was first proposed before the National Assembly. In response, significant concerns have been raised citing the possibility that this Act could be used to justify wire-tapping of ordinary Korean citizens by the NIS.

Under the PIPA, if a data handler transfers personal data abroad to a foreign entity for the benefit and use of such entity (‘provision’), then the data handler is required to obtain the consent of data subjects after providing notice of matters prescribed by law. However, if a data handler transfers personal data abroad to a foreign entity for the purpose of merely outsourcing its processing (‘outsourcing’”), then the data handler is not required to obtain the consent of data subjects in such cases.

Under the Network Act, an ICSP that transfers personal data abroad to a foreign entity is required to obtain the consent of users irrespective of whether such transfer constitutes a provision or an outsourcing. However, an ICSP is not required to obtain the consent of data subjects for an outsourcing if it is (i) necessary for the provision of the service to users, (ii) enhances the convenience of the users, and (iii) information such as the outsourced tasks and the identity of outsourced processors has been disclosed through statutorily prescribed methods such as through the ICSP’s privacy policy. In addition, under the Amended Network Act, taking effect on 19 March 2019, anyone who receives personal information from an ICSP subject to the Network Act will be required to obtain consent from the data subject for the onward transfer of his or her personal information to a third country after it is initially transferred from Korea.

Unless subject to an exception under applicable laws or regulations, the consent of data subjects is required in order to transfer personal data abroad. Further, both the PIPA and Network Act prohibit the execution of international data transfer agreements that violate any provisions thereunder.

No government notifications or approvals are required in order to transfer personal data abroad.

In principle, Korean data protection laws do not prescribe data localisation requirements.

However, under the Regulation on Supervision of Electronic Financial Transactions (“RSEFT”), certain financial companies and electronic financial business operators are required to install their servers and other electronic facilities in Korea. Notwithstanding the foregoing requirement, if cloud computing services are used pursuant to the RSEFT, then the equipment and facilities of the relevant cloud computing service providers are permitted to be located abroad so long as such equipment and facilities do not process any particular identification information (ie, RRNs, passport numbers, driver’s licence numbers, and alien registration numbers) or personal credit information.

In the health sector, the Enforcement Rule of the Medical Service Act and the Standards of Facilities and Equipment for Management and Retention of Electronic Medical Records (“EMRs”) provide that the physical location of an EMR system and its back-up equipment must be restricted to Korea and thus, it is prohibited to transfer EMRs generated at a hospital in Korea to an overseas location.

According to the data localisation rules under the Regulations for the financial and medical sectors, it is prohibited to transfer internationally any copies of data that must be physically stored in Korea.

There is no law or regulation in Korea that requires software code, algorithms, or similar technical detail to be shared with the government.

Under Korean data protection laws, personal data may be transferred to a foreign government or international organisation without the consent of data subjects in cases where such transfer is necessary for the performance of an international treaty, convention, or where such transfer is specially permitted under the Act on International Judicial Mutual Assistance in Civil Matters and the Act on International Judicial Mutual Assistance in Criminal Matters. Otherwise, the transfer of personal data in connection with foreign government data requests, foreign litigation proceedings or internal investigations requires the consent of the data subject.

Although unrelated to privacy or data protection, the Act on The Establishment, Management, tc Of Spatial Data restricts the cross-border transfer of maps or survey photographs. 

There is currently no law or regulation in Korea that addresses Big Data analytics. However, it is worth noting that in July of 2016, the Korean government published the guidelines on personal data de-identification measures.

Meanwhile, the Presidential Committee on the Fourth Industrial Revolution (‘Fourth IR Committee’) was launched in September of 2017 with the aim of supporting and fostering new technologies and industries that will drive the future economy. The development of Big Data centres for key industries was stated as one of its main policy initiatives (‘Initiatives’).

There is no law or regulation in Korea that regulates automated decision-making in general.

Although a seminar on profiling regulations was held in the National Assembly on 17 August 2017, there is currently no law or regulation in Korea that restricts profiling.

There is no law or regulation in Korea that restricts the use of artificial intelligence. The Four4th IR Committee has stated that the universal distribution of public data in the form of training data for artificial intelligence systems was an Initiative. 

Internet of Things (IoT)

The IoT is currently regulated by the TBA as there have been no laws or regulations that which have been separately established for this purpose. The Four4th IR Committee has stated that the establishment of networks dedicated to the IoT, making available radio frequency spectrum for IoT, and the relaxing of licence/permit regulations to facilitate the entry of network operators were Initiatives. Furthermore, the Four4th IR Committee has approved a plan to provide new radio frequency spectrum for industrial and private use by 2020 to support various IoT applications. 

There is no law or regulation in Korea that regulates automated decision-making in general. However, the Motor Vehicle Management Act provides that a temporary operating licence is required to operate autonomous vehicles (ie, motor vehicles that are capable of being driven without the assistance of a driver or passenger) for testing and research purposes.

There is no law or regulation in Korea that restricts facial recognition. However, any data used for facial recognition, to the extent it constitutes biometric data (ie, information on physical or behavioural characteristics that can be used to identify a specific individual such as fingerprints, iris patterns, voice data, handwriting, etc), will be subject to laws and regulations on biometric data as more fully explained below.

The Network Act and various Regulations issued thereunder require ICSPs to obtain the consent of users prior to accessing data (eg, biometric data) stored on users’ mobile devices and further require such data to be encrypted prior to being saved.

In December of 2017, the KCC announced the Guidelines for the Protection of Biometric Data to promote the safe use of biometric data such as fingerprints and iris patterns. The guidelines prescribed main principles for the use of biometric data and detailed managerial and technical security measures for each stage of processing to prevent the leakage, falsification, or alteration of biometric data.

The processing of (personal) location information by location-based service providers will be subject to the Location Information Act. Specifically, any person that wishes to operate a location information business that collects location information for provision to a location-based service business must obtain permission from the KCC. Further, any person that wishes to operate a location-based service business must file a report with the KCC. Under the Location Information Act, any person that wishes to collect, use, or provide location information  pertaining to an individual or moveable object must, in principle, obtain the consent of the individual or owner of the moveable object. Furthermore, a location information business must implement certain managerial and technical security measures for the protection of location information.

Drones will be treated as ‘“unmanned aerial vehicles’” under the Aviation Act and will be subject to various requirements thereunder (eg, filing reports based on vehicle weight/purpose, restrictions on operating vehicles in densely populated areas and during the night time). Furthermore, drones are prohibited from taking pictures of any facilities related to national security such as military installations and an aerial photography permit must be obtained from the Ministry of National Defencs to take pictures of adjacent areas.

In December of 2017, the Fourth IR Committee approved a comprehensive plan for the establishment of infrastructure for the drone industry.

Although the PIPA imposes general cyber-security requirements on data handlers, because of the nature of cyber-security, the requirements for ICSPs under the Network Act are considered to be more important. Financial institutions are subject to cyber-security requirements under the Credit Information Act as well as sector-specific laws (such as the Banking Act, the Insurance Business Act, the Electronic Financial Transactions Act, and other laws that regulate financial services). In addition, there are several other laws that impose security requirements in specific areas, such as medical information systems used by medical institutions.

The MOIS is responsible for enforcing the Standards of Personal Information Protection Measures (‘Measures’), an implementing Regulation of the PIPA, while the KCC is responsible for enforcing the Standards of Technical and Managerial Safeguards for Personal Information (‘Standards’), an implementing Regulation of the Network Act. Further, the Financial Supervisory Service (“FSS”) is responsible for enforcing cyber-security requirements applicable to financial institutions. The KISA is responsible for overseeing personal information and data protection certification procedures, handling complaints submitted by data subjects/users related to cyber-security, conducting investigations into data breaches and violations, and other tasks delegated to it by the MOIS, KCC, and the PIPC.

The MOIS, KCC, and FSS investigate alleged violations and impose various administrative sanctions (eg, administrative fines, penalty surcharges and, corrective orders) in accordance with relevant laws and regulations upon finding the existence of a violation. The KISA provides data protection training through its Cybersecurity Academy, operates an online data protection portal, handles hacking/virus complaints and provides consultation, and generally supports various programmes to improve the cyber-security of individual users.

The MOHW is responsible for enforcing cyber-security requirements and applicable information processing systems subject to the Medical Service Act, including the establishment of standards for EMRs. 

In Korea, the main certification procedure for data protection is the ISMS (Information Security Management System) certification. Certain business operators under the Network Act are required to obtain certification based on the type of business, amount of sales revenue, and the number of users for information and communications services. The purpose of ISMS certification is to certify the adequacy of management systems (including any managerial, technical and, physical safeguards) in conforming with certification standards. International standards such as ISO 27001 are also widely obtained and recognised in Korea.

Under the Standards and Measures, an internal control plan for the formation and operation of an internal organisation responsible for the protection of personal data must be established and implemented through the internal decision-making process. The specific matters that must be included in an internal control plan are set forth in the Standards and Measures, respectively.

Matters related to physical safeguards for the personal data processing system (‘PIPS’) against natural and man-made disasters (inapplicable to certain types of business operators) must be included in the above-mentioned internal control plan.

The appointment of a DPO that will oversee tasks related to data protection is mandatory.

Although involvement by the board of directors is not required, a DPO appointed by a data handler that is not a public institution must be a business owner, representative director, or an executive officer (or the head of the department responsible for  handling the processing of personal data).

According to PIPA, the obligation to conduct a personal data impact assessment is only imposed on public institutions. Under the Standards and the Measures, data handlers are required to implement measures to detect and respond to unauthorised attempts to access and leak personal data from information and communications networks and to periodically monitor access records to the PIPS in order to prevent the loss, theft, leakage, falsification, alteration, or damage of personal data. Data handlers are further required to install and operate security programs such as vaccine software in order to prevent and remedy infections by malicious codes.

Under the Standards and Measures, the grant of access authority to the PIPS must be limited to the minimum extent necessary to provide relevant services, and information on the granting, change, or termination of access authority to the PIPS must be stored for legally prescribed periods.

Although there are no requirements to conduct due diligence on vendors or service providers, data handlers that outsource the processing of personal data to third parties must supervise such third parties.

Under the Standards and Measures, data handlers are required to provide necessary training to the DPO and personal data managers on a regular basis.

The KISA jointly established the Cybersecurity Alliance for Mutual Progress with data protection authorities from other member countries to establish a cross-border co-operation network for cyber-security. In addition, the KISA has forged multinational relationships with other international organisations such as the OECD and the Inter-American Development Bank.

The Standards and Measures prescribe detailed standards for security measures that data handlers are required to comply with. For instance, certain personal data must be encrypted using secure encryption algorithms prior to being stored in the PIPS.  The personal data of users/data subjects must undergo encryption prior to being saved on the personal computers, mobile devices, and auxiliary storage mediums of data managers of the data handlers/ICSPs.  The passwords of data managers and users must, prior to being saved, be encrypted by unilateral encryption methods to prevent decryption.

There are no particular requirements for the management of material business data, networks, or systems. However, the Standards and Measures prescribe certain physical security measures for locations that store personal data.

There are no particular requirements for the management of critical infrastructure under Korean data protection laws.

The Standards and Measures prescribe detailed standards for security measures that data handlers are required to comply with. For instance, data handlers must, when handling personal data, undertake the following technical and administrative measures in accordance with guidelines prescribed by Presidential Decree, including:

  • the establishment and implementation of an internal control plan for the safe handling personal data;
  • the installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal data;
  • measures for preventing fabrication and alteration of access logs/records;
  • measures for security, including encryption technology and other methods for safe storage and transmission of personal data;
  • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; and
  • other protective measures necessary for securing the safety of personal data.

Under the RSEFT, financial companies and electronic financial business operators are required to implement certain legally prescribed security measures such as the following in order to protect their information processing systems and information and communications networks against electronic intrusion events (eg, hacking). These include:

  • the installation and operation of a data protection system to prevent electronic intrusion events such as hacking; and
  • the separation of and prohibiting access to internal processing systems from external networks.

Under the PIPA, a data handler is required to provide notice to affected data subjects and data protection authorities upon becoming aware of the leakage of any personal data. Under the Standard Guidelines for the Protection of Personal Data, an implementing regulation of the PIPA, a ‘personal data leak’ is defined as “the data handler’s involuntary loss of control of the personal data of data subjects or the allowance of access thereto by unauthorised persons that is not pursuant to an applicable law or regulation (loss or theft of documents, auxiliary storage mediums or mobile computing devices containing personal data, unauthorised access to the PIPS, etc.).”

Any personal data that has been affected by a leak is covered.

Reporting and notification obligations are triggered upon the leakage of any personal data, irrespective of the systems affected by such leak.

There is no specific law or regulation that prescribes security requirements for medical devices.

There is no specific law or regulation that prescribes security requirements for industrial control systems.

Security Requirements Applicable to IoT

There is no specific law or regulation that prescribes security requirements applicable to the IoT.

Under the PIPA, the MOIS must be notified if a data breach involves the personal data of 1,000 or more data subjects. The notice should contain:

  • the items of personal data leaked;
  • the time when personal data was leaked, and reasons for the leak;
  • information concerning measures to be taken by the data subject to minimise ensuing damages;
  • countermeasures taken by the data handler and procedures for remedying damages to the data subject; and
  • contact information of the data handler’s department responsible for handling complaints/reports submitted by data subjects.

The PIPA provides that notification should be made 'without delay', which is generally interpreted as ‘within five days’' under regulatory guidelines.

In cases where the Network Act applies, the KCC must be notified, without delay, in any event within 24 hours, upon the occurrence of a data breach unless there is a justifiable reason (there is no threshold of '1,000 or more data subjects'). Information that must be included when providing notification is identical to that of the PIPA.

Affected data subjects must be notified in the event of a data breach. Information that must be included when providing such notification is identical to the information that must be included when providing notification to data protection authorities. However, where the PIPA is applicable, data subjects must be notified even if the data breach affects fewer less than 1,000 data subjects.

There is no requirement to provide notice of a data breach to other companies or organisations.

There are no ‘risk of harm’ thresholds or standards existing under Korean law. In other words, companies or organisations are required to report/notify a data breach irrespective of the ‘risk of harm.’

However, as explained previously, if the PIPA is applicable, there is no threshold requirement for notification to affected data subjects, but reporting obligations to the MOIS will be triggered if the data breach involves the personal information of 1,000 or more data subjects. 

Monitoring may not be conducted in a manner that violates the Criminal Code, Network Act, or CPPA.

The Criminal Code prohibits unauthorised access, using any technical means, to the contents of another person’s letters, documents, drawings, pictures, or special media records (eg, electromagnetic records) that have been sealed or protected by a secure device. Thus, monitoring a person’s password-protected computer or email account without the person’s consent may be considered unlawful. Moreover, if the workplace computer in question is connected to the Internet or company intranet, the monitoring may also constitute “infringement upon other’s secret/privacy processed, stored or transmitted via an information and communications network,” which may also be subject to sanctions under the Network Act.

The CPPA prohibits a person from censoring mail, wire-tapping telecommunications, providing communications records, or recording/listening to any conversation between others that are not made public. Real-time monitoring of an email that is being transmitted may constitute ‘wire-tapping’ of an email, which is prohibited under the above provision of the CPPA. In this regard, the Supreme Court of Korea has ruled that, as a general rule, a third-party’s real-time recording of phone communications of another constitutes wire-tapping prohibited by the CPPA, unless the recording is in advance consented by all parties to the communications.

There is no provision on the required or authorised sharing of cyber-security information with the government other than in the case of the leakage of personal data.

Typically, when a data security incident or breach occurs, the data handler is found to have violated the Measures or Standards, so the data handler is subject to a high penalty surcharge or administrative fine.

In the past, plaintiffs (ie, data subjects whose personal data was the subject of data breaches) were only able to receive a small sum as compensation for their damages, even where the court ruled in their favour, because it was difficult for them to specify the actual extent/amount of their damages when filing the lawsuit.  However, amendments to the PIPA and the Network Act in 2015 and 2016, respectively, now allow plaintiffs to seek statutory damages of up to KRW3 million,000,000 and punitive damages of up to three times the actual damages, for data breaches that occurred after the laws were amended. Meanwhile, the trial concerning the hotel reservation app data breach is still ongoing, and is the first case in which the above statutory damages and punitive damages provisions have been applied.

As explained previously, starting from 19 March 2019, at which date when recent amendments to the Network Act take effect, ICSPs without a place of business in Korea that, nevertheless, meet certain criteria regarding the number of users and sales revenue, will be required to designate a Korean representative (ie, a corporation or individual that has an address or place of business in Korea) in writing to handle tasks related to the processing of personal information, including notifying/reporting the occurrence of a data breach to affected data subjects and regulatory authorities on behalf of the ICSPs.

In addition, regarding significant private litigation involving a data breach, as explained previously, multiple lawsuits related to the massive data breach that occurred at three major Korean credit card companies in 2014 are being litigated in the Korean courts. A final decision was rendered by the Supreme Court on 27 December 2018 for several of the lawsuits, ordering the credit card companies to pay KRW100,000 in compensation to each affected data subject. This Supreme Court decision is expected to influence both current and future court cases widely when determining damages related to the leakage of personal information.

Lee & Ko

Hanjin Building, 63 Namdaemun-ro,
Jung-gu,
Seoul 04532,
Korea

+82 2 772 4000

+82 2 772 4001

www.leeko.com
Author Business Card

Law and Practice

Authors



Lee & Ko parallels in many ways the solid economic development of the country in its evolution as the premier law firm in Korea, over the more than 40 years following its founding in 1977. The firm is one of the top law firms in Korea that is recognised for expertise in all major practice areas, which includes over 30 specialised practice groups, and that is consistently acclaimed over the years as one of the leading firms in Asia by internationally respected legal publications and league tables. Also, Lee & Ko has a global client base that includes domestic conglomerates to multinational corporations in many different industries. We have an unrivalled list of leading clients from the US, EU, China, Japan and more, as well as high-profile start-up high-tech companies. Our global reach is a result of our Korean-licensed lawyers with outstanding foreign language capabilities working together with our experienced foreign-licensed lawyers. Lee & Ko’s Data Protection/Privacy (DPP) Practice Group provides professional legal services, including an advisory service on a wide range of cases involving (inter alia) ever-increasing security breaches and hacking incidents, as well as representation of clients in litigations and regulator’s investigations. The entire DPP Practice Group is comprised of more than 20 legal professionals with extensive experience of handling IT compliance projects and pertinent know-how, allowing us to offer high-quality advice fitted to the needs of our clients.

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.