Data Protection & Privacy 2021 Comparisons

Last Updated March 09, 2021

Contributed By Lee & Ko

Law and Practice

Authors



Lee & Ko is the premier full-service law firm in Korea, whose evolution has paralleled, in many ways, the solid economic development of the country for more than 40 years. The firm is recognised for its expertise in over 80 specialised practice areas and has been consistently acclaimed as one of the leading firms in Asia by internationally respected legal publications. Lee & Ko has a global client base that includes multinational corporations in many different industries. In particular, the firm’s DPC (data privacy & cybersecurity) and TMT (technology, media and telecommunications) practice groups have extensive experience, knowledge, and expertise in a wide range of issues involving, among other things, security breaches, hacking incidents and DPC/TMT-related regulatory issues, transactional matters and litigation. Lee & Ko's attorneys are widely recognised as being among the top experts in their respective fields, with unrivalled knowledge and know-how in Korea.

Under the Constitution of Korea, the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental. In addition, the Constitutional Court and Supreme Court of Korea have established, through subsequent court decisions, that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.

The main laws and regulations related to data protection are the Personal Information Protection Act (PIPA) and its implementing regulations, which regulate the collection, usage, disclosure and other processing (collectively, "processing or process") of personal information by governmental or private entities as well as individuals. In this regard, the personal information-related provisions of the Act on Promotion of Information Communication Network Usage and Information Protection (Network Act) (ie, the provisions concerning the processing of personal information by information and communications service providers (ICSPs), such as telecommunications service providers) were transferred to the PIPA as a result of the recent amendments to the PIPA in 2020.

In addition to the PIPA, there are sector-specific laws that also regulate data protection. The processing of (personal) credit information by financial institutions, credit information companies, and general commercial transaction companies that provide or use credit information (ie, credit information users) is regulated by the Act on Usage and Protection of Credit Information (Credit Information Act). The processing of location information is separately regulated by the Act on the Protection and Use of Location Information (Location Information Act). As the comprehensive data protection law, the PIPA will generally apply to the processing of personal information unless a provision of a sector-specific law, such as any one of the foregoing, is found to be applicable in a certain case.

Regulators may impose various administrative sanctions, such as corrective orders, administrative fines and penalty surcharges for violations of data protection laws and regulations. Additionally, public prosecutors may investigate any violations that are also subject to criminal punishment and, in certain cases, impose criminal penalties upon both companies and individuals if the relevant provisions provide for vicarious liability. Data subjects may also claim damages for any violations of data protection laws and regulations that infringe upon their right to informational self-determination or their right to privacy.

Various regulators are involved in enforcing Korean data protection laws. The regulatory authority responsible for enforcing the PIPA is the Personal Information Protection Commission (PIPC). The PIPC is composed of nine commissioners (appointed or proposed by the President of South Korea) and their supporting staff organisations. The regulatory authority responsible for enforcing the Network Act and the Location Information Act is the Korea Communications Commission (KCC). In addition, the Korea Internet and Security Agency (KISA) performs tasks delegated to it by the PIPC, the KCC and the Ministry of Science and ICT (MSIT). Meanwhile, the Financial Services Commission (FSC) enforces the Credit Information Act and issues formal interpretations thereon.

Following the recent amendments to the PIPA, the Network Act, and the Credit Information Act (collectively, "the Amendments"), which went into effect on 5 August 2020, the PIPC was elevated to a central administrative agency under the direct authority of the Prime Minister and took over responsibility for enforcing the PIPA.

It should be noted that the FSC remains the regulatory authority responsible for enforcing the Credit Information Act, while the KCC remains responsible for enforcing the Network Act and the Location Information Act. Please note that the FSC will only be responsible for regulating personal credit information processed by financial institutions and credit information companies. Any personal credit information processed by non-financial institutions will be regulated by the PIPC.

When data protection and privacy law violations such as data leakages occur, or complaints are registered regarding such violations, the pertinent regulator may get involved, depending on which sectoral laws are implicated. Even without a particular reason, regulators also occasionally conduct special surveys to establish if certain industries and industry players are in compliance with applicable data privacy laws.

Under the PIPA, the PIPC is allowed to impose administrative sanctions such as penalty surcharges, administrative fines and corrective orders on data handlers, and – if they are found to be in violation of a law, or the PIPC receives a complaint of a violation – it may request the data handler to submit relevant materials regarding the violation (the data handler under the PIPA is a similar concept to the data controller under the European Union’s General Data Protection Regulation (GDPR)). Even if the PIPC does not receive a complaint, it conducts surveys on a regular and/or irregular basis to see whether certain industries and data handlers are in compliance with the PIPA.

The imposition of an administrative sanction must be done in accordance with the Administrative Procedures Act, and the data handler subject to the administrative sanction may object to it by filing an administrative lawsuit or administrative appeal.

South Korea is a member of the Asia-Pacific Economic Cooperation (APEC). In its press release, issued on 30 August 2020, the PIPC announced that KISA’s application for the Cross-Border Privacy Rules (CBPR) system was approved in December 2019 and, therefore, Korean companies may now be certified under the CBPR system. Also, South Korea officially joined the APEC’s Cross Border Privacy Enforcement Arrangement on 19 October 2020.

Meanwhile, according to the PIPC, the adequacy assessment under the GDPR that the Korean government has been pursuing in consultation with the European Commission is currently underway, and the Korean government has been making continued efforts to secure an adequacy decision from the European Commission. As part of such efforts, the Korean government has issued a notice titled the “Supplementary Regulations for the Interpretation and Application of the Personal Information Protection Act related to the Processing of Personal Information Transferred to South Korea” in order to provide guidelines for the interpretation and application of the PIPA in relation to the processing of personal information of EU data subjects transferred to South Korea, and to ensure that the data protection regulations in South Korea are in harmony with those in the European Union.

Finally, the PIPA expressly provides that any local ordinances (or amendments thereto) regulating the processing of personal information that have been issued by local government authorities must be consistent with the legislative purposes of the PIPA. In addition, the PIPC is authorised to provide its formal opinion in response to any such local ordinances that have been issued (or amended) by local government authorities.

Under the PIPA, the PIPC is obliged to promote self-regulation. If an association comprised of companies within a specific industry meets certain requirements, the PIPC may designate that association as a self-regulatory industry group so that it may establish data protection standards suited to its specific industry and require member companies to comply with those standards. As of January 2021, a total of 14 organisations (eg, the Korean Hospital Association, the Korea Association of Travel Agents) have achieved the status of self-regulatory organisations.

NGOs engage in various activities, such as proposing amendments to data protection laws and regulations, reporting violations of data protection laws to regulatory authorities, requesting criminal investigations into such violations, and filing public interest lawsuits against data handlers.

Overall, Korean data protection laws and regulations are some of the most stringent in the world, and the enforcement of the regulations is also relatively aggressive. The Amendments, which incorporate certain aspects of the GDPR, are widely seen as having expanded the scope of purposes for which personal information may be used, while also stipulating heavier penalties for violations.

The key developments in the last 12 months in the Korean data protection space are set out below.

Amendments to the PIPA and the Enforcement Decree of the PIPA (Effective as of 5 August 2020)

The amendments to the PIPA include, among others:

  • the introduction of pseudonymised information and the legal basis for using pseudonymised information for research and statistical purposes without the data subject’s consent;
  • the introduction of the compatibility concept;
  • the transfer of the Network Act’s personal information-related provisions to the PIPA; and
  • the PIPC’s status being elevated to a central administrative agency and the sole supervisory authority responsible for the enforcement of the PIPA. 

The amendments to the Enforcement Decree of the PIPA include, among others;

  • the specification of the rules regarding the use and management of pseudonymised information, such as the security measures which must be implemented and the specification of the procedures for combining pseudonymised information among different entities;
  • the specification of the standards used to determine compatibility;
  • the transfer of the personal information-related provisions in the Enforcement Decree of the Network Act to the Enforcement Decree of the PIPA; and
  • the addition of certain types of information within the scope of “sensitive information".

Amendments to the Credit Information Act (Effective as of 5 August 2020)

The amendments to the Credit Information Act include, among others;

  • the introduction of the concepts of "pseudonymised information", "pseudonymisation", and "anonymisation" in line with the amendments to the PIPA;
  • the introduction of the compatibility concept;
  • the right to challenge (ie, the right to request explanations and raise objections) decisions based on automated processing; and
  • effective as of 4 February 2021, the right to request financial companies and public institutions to transmit their personal credit information (ie, the right to data portability of personal credit information) to other financial companies.

The amendments to the Enforcement Decree of the Credit Information Act include, among others;

  • the introduction of the rules concerning the processing of pseudonymised information, such as the establishment of technical, physical and managerial safeguards to protect pseudonymised information;
  • details regarding the right to challenge decisions based on automated processing, including the types of financial transactions, such as credit extension, subject to the right to challenge decisions based on automated processing and the methods of and procedures for exercising such right; and
  • details regarding the exercise of the right to transmit personal credit information, such as the types of personal credit information which can be transmitted and the types of institutions which may receive personal credit information through the exercise of the subject right.

Introduction of Regulatory Guidelines

After the Amendments came into effect, the pertinent regulatory authorities, including the PIPC, published new guidelines for the regulations/systems newly introduced by the Amendments, and amended the existing guidelines in accordance with the Amendments. The key regulatory guidelines are:

  • “Commentary on Data Protection Laws, Regulations, Guidelines and Notices (2020)” (ie, the comprehensive guidelines for the amended PIPA, published by the PIPC);
  • “Guidelines for Processing of Pseudonymised Information” (ie, the guidelines on pseudonymisation processes and the combination and management of pseudonymised information, published by the PIPC;
  • “Commentary on Pseudonymisation and Anonymisation of Personal Credit Information in Financial Sectors” (ie, a commentary on, among other things, the methods of pseudonymisation and anonymisation of personal credit information and the FSC’s assessment on the adequacy of anonymisation of personal credit information, published by the FSC); and
  • “Guidelines for Utilisation of Health-Medical Data (ie, the guidelines published by the PIPC and the Ministry of Health and Welfare, which set forth additional obligations concerning pseudonymisation of health-medical data, such as the establishment of a data deliberation committee).

Plans for Additional Amendments to the PIPA

Following the Amendments, the PIPC announced its proposed amendments to the PIPA, including the following (it is not yet decided whether the proposed amendments will be adopted and added to the PIPA, and thus continued monitoring of legislative developments is required):

  • the introduction of the right to transmit personal information under the PIPA, which currently exists only under the Credit Information Act; 
  • the introduction of the right to challenge (ie, the right to request explanations and raise objections) decisions based on automated processing under the PIPA, which currently exists only under the Credit Information Act;
  • the repeal of the PIPA’s special provisions governing the data protection matters related to ICSPs so that all data handlers, regardless of whether they are ICSPs or not, are subject to the same data protection laws and regulations; 
  • the amendments to the PIPA’s criminal sanctions provisions (repealing the criminal sanctions provisions with respect to personal information leaks) and the introduction of economic sanctions such as penalty surcharges in the PIPA;
  • the relaxation of the criteria required for imposing a corrective order under the PIPA; and
  • a provision which allows for a cross-border transfer of personal information without consent, if personal information is transferred to a country, corporation or entity recognised as ensuring an adequate level of data protection by the PIPC (under the current PIPA, in principle, cross-border transfers require consent of the data subject).         

Balance between Prevention of COVID-19 and Protection of Personal Information

Under the Infectious Disease Control and Prevention Act, regulators may order managers, operators and users of places/facilities where there is a risk of transmitting infectious diseases to have in place an entry log system. Accordingly, visitors of public-use facilities (eg, restaurants, shops) are required to complete a visitor log each time they enter the facilities. In order to protect the personal information of visitors, however, visitors are not required to provide their names in the log. It is also expected that visitors will soon be able to provide their phone numbers by way of using a “personal security number” (ie, a virtual number linked to a visitor’s phone number).

As explained in 1.1 Laws, the PIPA is a general law that governs matters relating to the protection of personal information.

Privacy Officers

Under the PIPA, all data handlers are required to appoint a Chief Privacy Officer (CPO) (however, if a data handler is a micro-enterprise as defined in Article 2 of the Act on the Protection of and Support for Micro Enterprises, the business owner or a representative of the enterprise is deemed to have been appointed as the CPO). The CPO is responsible for, among other things, the establishment and implementation of an internal control plan and training plan for the protection of personal information and handling complaints and disputes in relation to the processing of personal information.

The PIPA requires data handlers (other than public institutions) to appoint an individual who is either the owner/representative or an executive officer (or, if there is no executive officer, the head of the data handler’s department in charge of performing tasks related to the processing of personal information) as their CPO.

Authorised Collection, Use or Other Processing

In principle, data handlers are permitted to collect or use personal information if one of the following grounds exists:

  • if the data subject’s consent is obtained;
  • if the collection is specifically required or permissible under other applicable laws and regulations, or necessary to comply with the data handler’s obligations under other applicable laws and regulations;
  • if collection by a public institution is unavoidable to perform its legally mandated duties and responsibilities;
  • if the collection is necessary for the execution and performance of a contract with the data subject; 
  • if there exists a clear and urgent need to protect the life, or physical or economic interest of the data subject or a third party, and consent for the collection of personal information cannot be obtained in an ordinary manner because the data subject (or his or her legal guardian) cannot express his or her intent, or his or her address is unknown; or
  • if the collection is necessary to achieve a legitimate interest of the data handler where that interest clearly overrides the rights of the data subject, provided that collection will be substantially relevant to the legitimate interest of the data handler, and that such collection is only performed to a reasonable extent.

Also, the amended PIPA permits data handlers to use and/or provide personal information to a third party without the data subject’s consent within the scope reasonably related to the original purpose of the collection after considering whether:

  • the contemplated use/provision is related to the original purpose of the collection;
  • such use/provision of the personal information could have been predicted in light of the circumstances surrounding the collection and customary handling practices;
  • the use/provision will result in any disadvantage to the data subject; and/or
  • the data handler has implemented the necessary safeguards to ensure the security of the personal information (eg, encryption).

The above amendment to the PIPA is viewed as a reflection of the GDPR’s "compatible use" principle.

Privacy by Design or by Default

Unlike the GDPR, Korea’s data protection and privacy laws do not specify the requirements that will trigger the application of a "privacy by design" or "by default" concept. However, the PIPA and its respective implementing regulations set forth detailed standards on the technical and managerial measures to be taken with respect to personal information processing systems and network security.

Privacy Impact Analyses

Under the PIPA, only public institutions managing personal information files that meet certain criteria must conduct a privacy impact analysis if there is a concern that a data subject’s privacy may be infringed upon due to the management of their personal information file. In addition, although different from a privacy impact analysis, all data handlers (including private companies) must include "matters related to the analysis of risk factors and the establishment of contingency measures" in their internal control plans.

Privacy Policies

Data handlers are required to disclose their privacy policies, usually through their website. In addition, data handlers are required to establish and implement an internal control plan to prevent the loss, theft, leakage, falsification and alteration of, as well as damage to, personal information. 

Data Subject Access Rights

Under the PIPA, a data subject has the following rights.

Right of access to data

A data subject has the right to request access to their personal information where it is being processed by the data handler. In principle, the data handler must allow the data subject to access their personal information within ten days of receiving such a request.

Right to rectification of errors and deletion

A data subject who accesses their personal information has the right to request rectification or deletion of their personal information. In principle, the data handler must rectify or delete the personal information immediately upon receiving such a request and notify the data subject of the results.

Right to object to processing

A data subject has the right to request suspension of the processing of their personal information. Unless there are grounds for refusing such a request, the data handler must suspend the partial or entire processing of the data subject’s personal information without delay.

For your reference, the Credit Information Act recognises the right to data portability of personal credit information (specifically, the right of data subjects to request financial companies and public institutions to transmit their personal credit information to other financial companies). However, at this point, no such right to data portability (in the case of personal information) is recognised under the PIPA.

Anonymisation, De-identification, Pseudonymisation

The PIPA and the Credit Information Act introduce the concept of pseudonymised information and expressly provide that anonymised data is excluded from the application of their provisions. Specifically, data handlers are permitted to process pseudonymised information without the consent of the data subject for purposes including statistical compiling, scientific research, and record preservation for the public interest. The PIPA regulates the combining of pseudonymised information managed by different data handlers by stipulating that only professional institutions designated by the PIPC or by the head of a pertinent central administrative agency may combine such pseudonymised information.

Profiling and Automated Decision-Making

The Credit Information Act recognises the right of data subjects to challenge (ie, request explanations and raise objections) automated credit assessments. However, as of January 2021, no such right is recognised under the amended PIPA.

Injury or Harm

The concept of "injury" or "harm" is not defined under the relevant laws. However, under the PIPA, a data subject who suffers injury as a result of the data handler’s violation of an applicable law may request compensation for the injury from the data handler. Court precedent dictates that the standard to be applied when determining whether harm occurred is "whether the data subject suffered emotional distress that can be compensated with money". 

Sensitive data is defined as personal information regarding an individual’s ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal information that may cause a material breach of privacy (genetic information, criminal records, information on an individual’s physical, physiological, and behavioural characteristics generated through certain technical means for the purpose of identifying a specific individual, and racial/ethnic information are listed as such "other personal information" in the Enforcement Decree of the PIPA).

To process sensitive data, there need to be statutorily prescribed grounds therefor, or the data handler must obtain the data subject’s explicit consent, separate from the consent to the processing of other personal information.

Financial Data

The processing of financial data is regulated mainly by the Credit Information Act.

"Credit information" means information that is necessary to determine the creditworthiness of the other party to financial transactions and other commercial transactions. This includes:

  • information by which a particular owner of credit information can be identified (provided that such information has been combined with any of the following information);
  • information by which the transaction details of an owner of credit information can be determined;
  • information by which the creditworthiness of an owner of credit information can be determined;
  • information by which the credit transaction ability of an owner of credit information can be determined; and
  • other similar information.

"Personal credit information" means credit information of a living individual (excluding information on a corporation or entity) in the following categories:

  • information from which a specific individual can be identified through name, resident registration number, etc; or
  • information from which, if easily combined with any other information, a specific individual is identifiable, though a specific individual cannot be identified from the information on its own.

Health Data

Health data and medical data qualify as sensitive data under the PIPA and are thus protected under the general data protection and privacy laws. Where individual laws such as the Medical Service Act stipulate rules on the processing and protection of health data, these laws will apply. Medical institutions may collect and use medical records and personal information of a patient without their consent if the collection and use is for medical treatment purposes (Medical Service Act, Article 22).

Communications Data

The Communications Privacy Protection Act (CPPA) governs the secrecy of communications and conversations. Specifically, the CPPA prohibits anyone from screening mail, wiretapping telecommunications, providing communication records, or recording/listening to private conversations between third parties except as permitted under the CPPA, the Criminal Procedure Act, or the Military Court Act. In addition, court approval is required, in principle, to carry out wiretapping of telecommunications or provision of communication records to third parties. The Supreme Court has previously ruled that the term "wiretapping" should be interpreted as "acquiring/recording the contents of telecommunications or directly interfering with the transmission/reception of telecommunications on a real-time basis" and that this term should not apply to the content or records of telecommunications that have already been transmitted/received. However, the Network Act provides that "no person may damage any data of third parties that is processed, stored, or transmitted via an information and communications network or infringe, misappropriate, or divulge any secrets of third parties". Consequently, the contents of telecommunications that have already been transmitted/received will be separately protected by the Network Act.

Children’s or Student Data

If data handlers and online service providers seek to process the personal information of children under the age of 14, they are required to obtain the consent of the children’s legal guardians. In addition, those legal guardians are authorised to exercise the child’s rights as a data subject under the PIPA. Furthermore, ICSPs are required under the PIPA to verify (in accordance with methods prescribed by the Enforcement Decree of the PIPA) the authenticity of the consent provided by legal guardians for the processing of personal information of children under the age of 14. 

Educational or school data is regulated not only by the PIPA, but also the Education Framework Act, Elementary and Secondary Education Act, and the Rules on the Operation of the Infant Education Information System and Education Information System. A student’s personal information, school records and physical check-up records must not be provided to a third party without the consent of the student (or, if they underage, the consent of their legal guardian) unless allowed under an applicable law. Legal guardians (eg, parents) have the right to view the student information (eg, school records) of the person that is in their care and may also view the computerised data of that person by accessing the educational administration information system.

Employment Data

The PIPA applies to the processing of any employment data to the extent such data constitutes personal information. Therefore, the consent of data subjects is required, in principle, to collect and use such employment data. However, exceptions to this consent requirement are recognised in cases where employment data is collected/used in order to execute and perform an employment contract with the data subject or where such collection or use is specifically permitted or required by law. For instance, employment data may be processed without the consent of data subjects in cases where that processing is necessary to prepare a register of employees as required by the Labour Standards Act.

Other Categories of Sensitive Data

As explained above, information relating to union membership, sexual orientation, political or philosophical beliefs qualifies as sensitive data as defined under the PIPA. Therefore, in order to process sensitive data, there need to be statutorily prescribed grounds therefor, or the data handler must obtain the data subject’s explicit consent, separate from the consent to the processing of other personal information.

Retaining Records

The Standards of Personal Information Security Measures require data handlers to retain and manage records of access to the personal information processing system (by their personal information managers) for a period of at least one or two years in cases where the personal information processing system processes any particular identification data (ie, resident registration numbers, passport numbers, driver’s licence numbers, and alien registration numbers) or sensitive data.

Internet, Streaming and Video Issues

Browsing data

If any browsing data, viewing data, cookies, or beacons can be easily combined with other information to identify specific individuals then such data will be deemed personal information. If this is actually the case, then the consent of data subjects will be required, in principle, to collect and use such data. That said, the PIPA recognises exceptions to this consent requirement in cases where it is seriously difficult to obtain the consent from the data subject in an ordinary manner for an economic or technical reason, and yet, the collection or use of the personal information is necessary for the performance of a contract with the data subject concerning the provision of information and communications services.

Location data

The processing of location data is separately regulated by the Location Information Act. If any personal location information is collected for the purpose of providing location-based services, consent for the collection and use of personal location information under the Location Information Act and consent for the collection and use of personal information under the PIPA must be obtained, respectively.

Do not track, and tracking technology

There are no separate laws or regulations on do-not-track and tracking technology. The PIPA requires "matters concerning the installation, operation, and denial of a device that automatically collects personal information, such as an internet access information files" to be specified in a privacy policy.

Behavioural or targeted advertising

There are no separate laws or regulations on behavioural or targeted advertising. In this connection, the KCC announced the Guidelines on Privacy and Online Behavioural Advertising in February 2017. Although the guidelines are silent as to whether the prior consent of users should be obtained in order to conduct behavioural/targeted advertising, companies engaging in such advertising must at least provide notice of the items of behavioural data to be collected, the methods of collection, the purposes of collection, periods of retention and use, methods through which users may exercise control authority, and methods for providing redress to users who suffer damages. Users will be able to control their exposure to targeted advertisements appearing through web browsers and smartphone applications by using the methods that have been notified to them. In addition, if any personal information is collected in the course of conducting targeted advertising, the consent of users for the processing of such personal information may be required pursuant to Korean data protection laws.

Social media, search engines, large online platforms

Social media, search engines and large online platforms are all information and communications service providers subject to the Network Act. The Network Act previously contained a provision requiring large-scale ICSPs to verify the identity of users of online bulletin boards, but this provision was found to be unconstitutional by the Constitutional Court of Korea for violating the freedom of expression of users. Under the Credit Information Act, the data subject’s consent is not required to process information that the data subject has disclosed on a social networking service or other similar platform either by themselves, or through a third party.

Addressing hate speech, disinformation, terrorist propaganda, etc

The Network Act prevents the distribution of illegal information such as obscene materials, defamatory information, media content harmful to juveniles, content that divulges a state secret, content which constitutes activity prohibited by the National Security Act, and information relating to speculative acts that are prohibited by law via information and communication networks.

Other Issues

There is no law or regulation which expressly recognises the "right to be forgotten". However, under the Network Act, if information that was provided via an information and communications network for the purpose of being disclosed to the public ends up infringing upon another person’s privacy or damages his or her reputation, the person who was affected in such an adverse manner may request that the ICSP delete such information by explaining how his or her rights were infringed. Furthermore, under the PIPA, a data subject is entitled to request a data handler to delete his or her personal information.

Separately, under the PIPA, data subjects are entitled to request access to any of their personal information that is being processed by the data handler. Also, the Credit Information Act recognises the right of data subjects to request that financial companies and public institutions transmit their personal credit information (ie, right to data portability of personal credit information) to other financial companies.

Under the PIPA, data subjects are also entitled to request rectification or deletion of their personal information that is being processed by the data handler. Data handlers must rectify or delete the personal information immediately upon receiving such requests and notify data subjects of the results. 

There is no provision under the PIPA which expressly recognises the right to object to the sale of data or right to object to tracking. Also, various rights under the PIPA that data subjects are entitled to exercise, with respect to the processing of their personal information, do not apply to the processing of their pseudonymised information.

Under the Network Act, the recipient’s express prior consent is required for the transmission of commercial advertising information through electronic means (eg, mobile phone, email). However, an exception to this consent requirement is recognised if the sender has directly collected the recipient’s contact information on a previous occasion where a transaction for goods or services was carried out between the two parties and intends to send the recipient commercial advertising information regarding the same type of goods or services that were previously exchanged between them within six months of the date of their previous transaction.

There is no law or regulation in Korea that governs behavioural or targeted advertising in particular. However, the collection and processing of cookies and behavioural data, and information necessary for conducting behavioural or targeted advertising, will be subject to notice and consent requirements for the processing of personal information if such information may identify specific individuals.

Privacy in the workplace is governed by the PIPA.

As a general rule, employee monitoring is only permitted in cases where necessary consent has been obtained under the PIPA, the Network Act, and the CPPA. There are very limited exceptions to the foregoing consent requirement (eg, the company has a justifiable reason). 

The Act on the Promotion of Workers' Participation and Co-operation provides that an employer with 30 or more full-time workers must establish a labour management council and that the labour management council must be consulted in order to "install employee surveillance systems/facilities within the workplace".

Under the Act on the Protection of Specific Crime Informants, employers are prohibited from dismissing or imposing any disadvantages on any of their employees for having reported a crime. In addition, the Protection of Public Interest Whistle-Blowers Act is applicable to "public interest whistle-blowing", which is the reporting of a violation of a public interest (ie, certain illegal acts that impinge on the health and safety of the public).

There is no law or regulation that expressly provides that e-discovery will be excluded from the application of the PIPA. Consequently, there is a risk of violating the PIPA if any personal information is provided to the opposing party of a litigation without the consent of data subjects during e-discovery. The Supreme Court of Korea has previously ruled that a party who is the subject of a document production order issued by a court may not rely on consent requirements under the PIPA to refuse to comply with such a document production order.

As a general principle, the PIPA provides that personal information must only be collected to the minimum necessary extent to achieve the purposes of processing and that data handlers shall bear the burden of establishing whether, in fact, personal information has actually been collected to the minimum necessary extent. Therefore, if an employer collects the personal information of one of its employees, without consent, for the purpose of performing an employment contract with that employee, then the employer will bear the burden of establishing that it has collected only the minimum necessary amount of the employee’s personal information to perform that employment contract.

Legal Standards for Regulators

The PIPC may request that data handlers submit explanatory materials in response to alleged violations of the PIPA, and may inspect the data protection compliance levels of data handlers in conjunction with the relevant central government agency in order to prevent, and effectively respond to, security incidents involving the leakage of personal information. The PIPC may also impose administrative sanctions in the form of corrective orders, administrative fines, or penalty surcharges upon finding any violations of the PIPA.

Potential Enforcement Penalties

Regulators such as the PIPC may impose various administrative sanctions such as corrective orders, administrative fines and penalty surcharges (up to 3% of the related sales revenue) for violations of respective laws and regulations. Additionally, public prosecutors may investigate any violations that are also subject to criminal punishment.

Data handlers may face a penalty surcharge of up to 3% of their entire revenue for violating any provisions of the PIPA related to the processing of pseudonymised information.

Leading Enforcement Cases

On 15 July 2020 (before the Amendments took effect), the KCC, a privacy regulator at the time, rendered a corrective order and imposed a penalty surcharge of KRW180 million for an international media platform operator’s collection of personal information of minors under the age of 14 without the consent of their legal representatives. The KCC also imposed an administrative fine of KRW6 million for the company’s failure to disclose statutorily prescribed matters regarding the cross-border transfer of personal information.

On 25 November 2020, the PIPC imposed a penalty surcharge of KRW6.7 billion on an international social media corporation for the provision of personal information to a third-party business operator without the consent of the data subjects, referred the case to an investigative authority for a violation of the PIPA, and further imposed an administrative fine of KRW66 million on the grounds that, among other things, the company stored users’ passwords without encryption, failed to notify the users of the use records on a regular basis, and submitted false documents.

The cases above are noteworthy in that unlike in the past, Korean privacy regulators now impose sanctions against non-Korean data handlers under the relevant data protection laws in Korea.

Private Litigation

Legal standards

Under the PIPA, data subjects may claim damages against data handlers for privacy or data protection violations and data handlers may not avoid liability in such cases unless they can establish that such violations were not caused by any negligence or wilful misconduct attributable to themselves.

The PIPA also contains statutory and punitive damages provisions. Thus, a data subject whose personal information has been lost, stolen or leaked may claim statutory damages of up to KRW3 million if there has been any negligence or wilful misconduct on the part of the data handler. In addition, a court may order a data handler to pay up to treble the amount of damages suffered by a data subject as punitive damages.

After the Amendments took effect, the maximum amount of punitive damages under the Credit Information Act that may be imposed on financial companies and other credit information handlers in connection with the leakage of personal credit information due to their intentional or grossly negligent acts or omissions has increased to five times (previously, three times) the amount of proven damages.

Class actions

Korean data protection laws allow for the filing of class action lawsuits by data subjects affected by security breaches (including personal information leakages) under certain limited circumstances. Under the PIPA, data handlers may request that the dispute mediation committee mediate class actions in certain cases permitted by the Enforcement Decree of the PIPA where the damages or the infringement of privacy suffered by data subjects are identical or similar. Furthermore, consumer organisations and non-profit organisations may petition a court on behalf of data subjects to suspend or prohibit any infringing activity by a data handler in the event such a data handler refuses to participate in class action mediation or accept the results thereof.

Leading cases

In a case where the personal information of customers of a credit card company had been leaked, the Seoul High Court held that the damages owed to the plaintiff should be calculated based on the damage provisions in the Korean Civil Code, not those in the Network Act (wherein stricter damage provisions are provided for personal information leaks). Accordingly, the court reduced the total amount of damages to be paid by the credit card company pursuant to the relevant provisions of the Korean Civil Code (decided on 23 January 2020).

On 13 July 2020, in a case where around 100 users of a telecommunications service brought a civil claim against the telecommunications service provider after approximately 8.7 million items of personal information of users had been leaked, the Seoul Central District Court ruled that given the circumstances, such as the safeguards implemented by the telecommunications service provider to protect the personal information of the users at the time of the leakage incident, the telecommunications service provider cannot be held liable for the personal information leakage incident. 

On 15 November 2020, in a case where the defendant, an operator of a counselling centre, recorded the contents of the counselling sessions, provided the transcript of the recordings to a third party, and sold booklets based on the contents of the counselling sessions, the Seoul Central District Court held that the defendant’s acts constituted a violation of the PIPA, and thus, the defendant was ordered to pay compensation in the amount of KRW10 million.

Under the Criminal Procedure Act, search and seizures must be, in principle, conducted pursuant to a court-issued warrant. In addition, under the CPPA, independent judicial approval is required, in principle, to carry out wiretapping of telecommunications or to request the provision of communication confirmation data to third parties. However, if a specific law or regulation is applicable, government authorities may request information relevant to investigations without obtaining independent judicial approval.

The Act on Reporting and Using Specified Financial Transaction Information (ARUSFTI) and the Act on Anti-Terrorism for the Protection of Citizens and Public Security (Anti-Terrorism Act) regulate financial transactions related to money laundering and the financing of terrorism. 

The PIPA only allows the provision of personal information to third parties without consent in cases where such provision is:

  • conducted by a public institution to investigate a crime or issue/maintain an indictment;
  • specifically required or permitted by another law; or
  • deemed manifestly necessary for the protection of life, the bodily or property interests of the data subject, or a third party from imminent danger where the data subject or their legal representative is not in a position to express intention, or prior consent cannot be obtained (eg, owing to an unknown addresses).

The Anti-Terrorism Act permits the National Intelligence Service (NIS) to collect entry/departure data, financial transaction data and communication records of terrorism suspects but requires that collection to be carried out in accordance with procedures prescribed by applicable laws such as the Immigration Act, the Customs Act, the ARUSFTI, and the CPPA. In addition, the Anti-Terrorism Act also permits the NIS to request that data handlers submit the personal information and location information of terrorism suspects and conduct surveillance of terrorism suspects in order to collect information necessary for anti-terrorism operations.

Data collection and surveillance activities pursuant to the Anti-Terrorism Act may only be conducted on "terrorism suspects", meaning "a member of a terrorist group (as designated by the UN), or a person who has propagated a terrorist group, raised or contributed funds for terrorism, or engaged in other activities of preparing, conspiring, propagandising, or instigating terrorism, or where there are reasonable grounds to suspect that a person has performed such activities". In addition, the Counterterrorism Centre has been established under the prime minister’s office to monitor abuses of authority by the NIS and a counterterrorism human rights protection officer has been assigned to the National Counterterrorism Commission.

Personal information may, exceptionally, be transferred to a foreign government or international organisation without the consent of the relevant data subjects in cases where that transfer is necessary for the performance of a duty under an international treaty or convention. In all other cases, the consent of data subjects is, in principle, required for the collection/transfer of personal information, even if such collection or transfer is being requested by a foreign government. 

Korea does not participate in a Cloud Act agreement with the USA. Furthermore, the Act on the Development of Cloud Computing and Protection of its Users (Cloud Computing Act) expressly provides that a cloud computing service provider may not provide user data to a third party or process user data for a purpose other than the provision of cloud computing services without consent, except pursuant to a submission order or warrant issued by a Korean court.

Although the co-operation of telecommunications business operators is generally required in order for investigative authorities to execute search and seizure warrants or to carry out wiretapping activities, there remains controversy as to whether telecommunications business operators are legally obliged to provide their co-operation in such cases.

In a Supreme Court decision involving whether an internet portal operator’s provision of communication records pursuant to the Telecommunications Business Act (TBA), upon the request of investigative authorities, infringed upon the privacy rights of data subjects, the Supreme Court held that, in the absence of special circumstances, the internet portal operator should not be liable to data subjects for any damages suffered if their communication records were provided in response to a lawful request made by investigative authorities in connection with an investigation.

Under the PIPA, a data handler that is an ICSP is required to obtain the consent of data subjects to transfer personal information abroad to a foreign entity, irrespective of whether such transfer constitutes a provision or an instance of outsourcing (here, “provision” refers to cases where a data transfer is conducted for the benefit and business purpose of the transferee (that is beyond the original purpose for the collection/use of personal data) whereas “outsourcing” refers to cases where a data transfer is conducted for the benefit and business purpose of the transferor (that is consistent with the original purpose for the collection/use of personal data)). However, a data handler that is an ICSP is not required to obtain the consent of data subjects for such an outsourcing, if certain information, such as the outsourced tasks and the identity of outsourced processors, has been disclosed in a statutorily prescribed manner, such as disclosure in the ICSP’s privacy policy.

In the case of a data handler that is not an ICSP, the consent of data subjects is required to conduct a transfer of personal information constituting a provision, whereas no such consent is required for a transfer of personal information that constitutes an outsourcing.

There is no provision concerning required assessments regarding the data importing jurisdiction under the PIPA.

As explained above, the consent of data subjects is required, in principle, to conduct international data transfers from Korea. In this connection, the PIPA prohibits the execution of international data transfer agreements that violate any provisions thereunder.

No government notifications or approvals are required in order to transfer personal information abroad.

In principle, Korean data protection laws do not prescribe any data localisation requirements but there may be cases where a certain degree of data localisation is required by a sector-specific law. For example, under the Regulation on Supervision of Electronic Financial Transactions (RSEFT), finance companies headquartered in Korea must have their data centre and disaster-recovery centre located in Korea. Notwithstanding the foregoing requirements, if cloud computing services are used pursuant to the RSEFT, then the equipment and facilities of the relevant cloud computing service providers are permitted to be located abroad so long as such equipment and facilities do not process any particular identification information (ie, resident registration numbers, passport numbers, driver’s licence numbers, and alien registration numbers) or personal credit information.

There is no law or regulation in Korea that requires software code, algorithms or similar technical detail to be shared with the government.

There are no special rules that apply to organisations collecting or transferring personal information in connection with foreign government data requests, foreign litigation proceedings or internal investigations. Therefore, under Korean data protection laws, personal information may only be transferred to a foreign government or international organisation, without the consent of data subjects, in cases where such a transfer is necessary for the performance of an obligation under an international treaty or convention, or where such transfer is specially permitted under the Act on International Judicial Mutual Assistance in Civil Matters or the Act on International Judicial Mutual Assistance in Criminal Matters. Otherwise, the transfer of personal information in connection with foreign government data requests, foreign litigation proceedings or internal investigations requires the consent of the data subject.

There are no particular “blocking” statutes in Korea related to privacy or data protection.

Big Data Analytics

As explained in 1.7 Key Developments and 2.1 Omnibus Laws and General Requirements, data handlers are permitted under the PIPA to process pseudonymised information without the consent of data subjects for purposes including statistical compiling, scientific research, and record preservation for the public interest. This latest development has been seen as establishing the statutory basis in Korea for conducting big data analytics going forward.

Automated Decision-Making

There is no law or regulation in Korea that governs automated decision-making in particular. The Credit Information Act recognises the data subject’s right to challenge an automated credit assessment, and defines "automated credit assessment" as "a credit information company’s or other’s act of evaluating a credit information subject by processing the individual’s credit information and other data using an information processing device (such as a computer) without actually being involved in the evaluation of the individual".

Profiling

As explained above, the Credit Information Act recognises the right of data subjects to challenge automated decisions.

Artificial Intelligence

There is no law or regulation in Korea that governs artificial intelligence (AI) in particular. However, AI may be governed to a certain extent by the Intelligent Robots Development and Distribution Promotion Act (Intelligent Robot Act). For your reference, the Robot Act defines "intelligent robot" as a mechanical device (including software required for its operation) that perceives the external environment on its own, discerns circumstances, and moves voluntarily.

Internet of Things (IoT)

There is no law or regulation in Korea that governs the IoT in particular. However, if a certain IoT service includes telecommunication services (eg, connected car services), the service provider may be required to obtain a licence (or licences) under the TBA. The registration requirement applying to anyone wishing to operate a facilities-based telecommunications business was relaxed to a reporting requirement in cases where the contemplated use of facilities-based telecommunications services was ancillary (as prescribed by the Enforcement Decree of the TBA) to the provision of the business operator’s own goods or services and where the business operator was seeking to charge a fee (including cases where such a fee is incorporated into the price of goods or services) for the use of such facilities-based telecommunications services. As such, for example, an electric vehicle manufacturer that operates a facilities-based telecommunications business in Korea has reported its business as a facilities-based telecommunications business to the MSIT.

Autonomous Driving Vehicles

The Motor Vehicle Management Act (MVMA) provides that anyone who intends to operate an autonomous driving motor vehicle for the purposes of testing or research must obtain a temporary operation permit from the Ministry of Land, Infrastructure and Transport (MOLIT) after meeting legally prescribed safety requirements for the safe operation of such a vehicle.

Facial Recognition

As explained in 2.2 Sectoral and Special Issues, information on an individual’s physical, physiological, and behavioural characteristics generated through certain technical means for the purpose of identifying a specific individual constitutes “sensitive information”. Therefore, information collected for the purpose of facial recognition is sensitive information, and in order to process such information, there needs to be statutorily prescribed grounds therefor, or the data handler must obtain the data subject’s express consent, separate from the consent to the processing of other personal information. In addition, the facial features of individuals may constitute biometric data (as more fully explained below) if they are processed for facial recognition purposes. 

Biometric Data

The Standards of Technical and Managerial Security Measures for Personal Information issued under the PIPA define "biometric data" as "fingerprints, facial features, eye features, voice, handwriting, and any other data related to physical or behavioural characteristics that can be used to identify a specific individual". The Network Act, and various regulations issued thereunder, require ICSPs to obtain the consent of users prior to accessing biometric data stored on users’ mobile devices and further require such data to be encrypted prior to being saved.

Geolocation

The processing of (personal) location information by location-based service providers will be subject to the Location Information Act. Specifically, any person that wishes to operate a location information business that collects personal location information for provision to a location-based service business must obtain permission from the KCC. Furthermore, any person that wishes to operate a location-based service business that processes personal location information must file a report with the KCC. Under the Location Information Act, any person that wishes to collect, use or provide location information pertaining to an individual or moveable object must, in principle, obtain the consent of the individual or owner of the moveable object.

Drones

The Drone Utilisation Promotion and Foundation Establishment Act (Drone Act) took effect on 1 May 2020. Under the Drone Act, drones may be classified as unmanned aerial vehicles or unmanned aircraft as defined under the Aviation Safety Act. The Aviation Safety Act imposes various restrictions on the operation of unmanned aerial vehicles (eg, filing reports based on vehicle weight/purpose, restrictions on operating vehicles in densely populated areas and during the night).

Disinformation or Other Online Harms

Obscene materials

Under the Criminal Act, distribution, sale or the like of obscene documents, drawings, pictures, films or other materials are prohibited. Similarly, distribution of obscene materials (which is a type of unlawful information under the Network Act) via an information and communications network is prohibited under the Network Act.

The TBA also requires online service providers and others to immediately delete, or implement other measures necessary to prevent the circulation of, illegal photos or the like upon becoming aware that such material is being circulated through an information and communications network under their management and/or operation. In this connection, certain online service providers (meeting the criteria set forth in the Enforcement Decree of the TBA) must also implement a set of technical and managerial measures to prevent the circulation of illegal photos or the like. 

Offensive or defamatory contents

In Korea, anyone who publicly insults another or anyone who defames another by publicly alleging facts or false facts may be subject to criminal punishment. In particular, anyone who defames another via an information and communications network with intent to disparage the person’s reputation is subject to stricter punishment under a special provision in the Network Act.

Other harmful contents

In addition to the above, the Network Act defines the following as unlawful information and prohibits distribution/circulation of the same via an information and telecommunications network:

  • information that arouses fear or apprehension;
  • information related to disruption of the operation of an information and communications system or the like;
  • information harmful to juveniles;
  • information related to speculative activities prohibited by statutes and regulations;
  • information regarding illicit transactions of personal data;
  • information on the manufacture of firearms or explosives (eg, methods or drawings);
  • information with content that divulges classified national secrets;
  • information with content that violates the National Security Act; and
  • other information with content that attempts to commit, aids or abets a crime. 

Fiduciary Duty for Privacy or Data Protection

Directors of a company have a duty of care and diligence (ie, good manger’s care) and a duty of loyalty, which correspond to fiduciary duty in common law jurisdictions. Because directors have a duty to perform delegated tasks with good manager’s care under the duty of care and diligence, it can be said that directors have an obligation to take necessary measures to protect personal information and privacy.

The PIPC is responsible for establishing basic protocols for data protection, co-ordinating opinion on data processing by public institutions, and conducting data privacy impact assessments.

As explained in 2.5 Enforcement and Litigation (Leading Enforcement Cases), the PIPC imposed a penalty surcharge of KRW6.7 billion on an international social media corporation for its provision of personal information to a third-party business operator without the consent of the data subjects, referred the case to an investigative authority for its violation of the PIPA, and imposed an administrative fine of KRW66 million on the grounds that, among other things, the company stored users’ passwords without encryption, failed to notify the users of the use records on a regular basis, and submitted false documents.

Also, as explained in 2.5 Enforcement and Litigation (Potential Enforcement Penalties), the PIPC may impose a penalty surcharge (up to 3% of the related sales revenue in accordance with applicable regulations) for any data protection violations that are detected in conjunction with the leakage of personal information. The PIPC recently affirmed its commitment to take strong measures against foreign business operators allegedly responsible for violation of data protection laws, if they fail to engage in good-faith co-operation with government investigations. The PIPC’s commitment aims at strengthening its enforcement powers and protecting the personal information of Korean nationals.

On 29 October 2020, the Seoul Central District Court ruled that KRW100,000 in compensatory damages must be awarded to each data subject affected by a leakage of personal information that occurred at an e-commerce website. In addition, please refer to the discussion of class actions in 2.5 Enforcement and Litigation.

In general, due diligence (to assess compliance with Korean data protection laws) is conducted during corporate transactions and, in certain cases, representations and warranties are provided by parties to contractually stipulate compliance with applicable data protection requirements.

Under the Electronic Financial Transactions Act, financial companies and electronic financial businesses are required to notify the FSC without delay if they are affected by an electronic intrusion incident that disrupts or disables electronic financial infrastructure.

There are no other significant issues in Korean data protection and privacy not already covered in this chapter.

Lee & Ko

Hanjin Building
63 Namdaemun-ro
Jung-gu
Seoul 04532
Korea

+82 2 772 4000

+82 2 772 4001

mail@leeko.com www.leeko.com
Author Business Card

Law and Practice in South Korea

Authors



Lee & Ko is the premier full-service law firm in Korea, whose evolution has paralleled, in many ways, the solid economic development of the country for more than 40 years. The firm is recognised for its expertise in over 80 specialised practice areas and has been consistently acclaimed as one of the leading firms in Asia by internationally respected legal publications. Lee & Ko has a global client base that includes multinational corporations in many different industries. In particular, the firm’s DPC (data privacy & cybersecurity) and TMT (technology, media and telecommunications) practice groups have extensive experience, knowledge, and expertise in a wide range of issues involving, among other things, security breaches, hacking incidents and DPC/TMT-related regulatory issues, transactional matters and litigation. Lee & Ko's attorneys are widely recognised as being among the top experts in their respective fields, with unrivalled knowledge and know-how in Korea.