Under the Constitution of Korea, the rights to privacy, privacy of communications and freedom of expression are recognised as fundamental rights. In addition, the Constitutional Court and Supreme Court of Korea have established through subsequent court decisions that the right to informational self-determination should be viewed as a separate fundamental right, despite not being stipulated in the Constitution.
The main laws and regulations related to data protection are the Personal Information Protection Act (PIPA) and its implementing regulations, which regulate the collection, usage, disclosure and other processing (collectively, "processing or process") of personal information by governmental or private entities as well as individuals. In addition to the PIPA, there are sector-specific laws that also regulate data protection. The processing of personal information by information and communications service providers (ICSPs), such as telecommunications service providers, is regulated by the Act on Promotion of Information Communication Network Usage and Information Protection (Network Act), and the processing of (personal) credit information by financial institutions, credit information companies, and general commercial transaction companies that provide or use credit information (ie, credit information users) is regulated by the Act on Usage and Protection of Credit Information (Credit Information Act). The processing of location information is separately regulated by the Act on the Protection and Use of Location Information (Location Information Act). As the comprehensive data protection law, the PIPA will generally apply to the processing of personal information unless a provision of a sector-specific law, such as any one of the foregoing, is found to be applicable in a certain case. Meanwhile, as explained in 1.2 Regulators, the Network Act’s personal information-related provisions will be transferred to the PIPA as part of the "special provisions" section as a result of the Amendments.
Regulators may impose various administrative sanctions, such as corrective orders, administrative fines and penalty surcharges for violations of data protection laws and regulations. Additionally, public prosecutors may investigate any violations that are also subject to criminal punishment and, in certain cases, impose criminal penalties upon both companies and individuals if the relevant provisions provide for vicarious liability. Data subjects may also claim damages for any violations of data protection laws and regulations that infringe upon their right to informational self-determination or their right to privacy.
Various regulators are involved in enforcing Korean data protection laws. The regulatory authority responsible for enforcing the PIPA is the Ministry of Interior and Safety (MOIS). The MOIS is one of the ministries of Korea’s Administrative Department. The regulatory authority responsible for enforcing the Network Act and the Location Information Act is the Korea Communications Commission (KCC). In addition, the Korea Internet and Security Agency (KISA) performs tasks delegated to it by the MOIS and the KCC. Meanwhile, the Financial Services Commission (FSC) enforces the Credit Information Act and issues formal interpretations thereon.
Following recent amendments to the PIPA, the Network Act, and the Credit Information Act (collectively, "the Amendments") which were announced on 4 February 2020, the Personal Information Protection Committee (PIPC) will be elevated to a central administrative agency under the direct authority of the Prime Minister and will take over responsibilities for enforcing the PIPA and the Network Act, respectively. Accordingly, any references hereinafter to the MOIS and the KCC with respect to enforcement of the PIPA and the Network Act, respectively, should be replaced with the PIPC after the Amendments eventually take effect (which is currently scheduled for 5 August 2020).
However, the FSC and the KCC will continue to be responsible for enforcing the Credit Information Act and the Location Information Act, respectively. Please note that the FSC will only be responsible for regulating personal credit information processed by financial institutions and credit information companies. Any personal credit information processed by non-financial institutions will be regulated by the PIPC.
When data protection and privacy law violations such as data leakages occur, or complaints are registered regarding such violations, the pertinent regulator may get involved, depending on which sectoral laws are implicated. Even without a particular reason, regulators also occasionally conduct special surveys to establish if certain industries and industry players are in compliance with applicable data privacy laws.
Under the PIPA, the MOIS is allowed to impose administrative sanctions such as penalty surcharges, administrative fines and corrective orders on data handlers, and – if they are found to be in violation of a law, or the MOIS receives a complaint of a violation – it may request the data handler to submit relevant materials regarding the violation. Even if the MOIS does not receive a complaint, it conducts surveys on a regular and/or irregular basis to see whether certain industries and data handlers are in compliance with the PIPA. After the Amendments take effect, the PIPC will have the authority to impose administrative sanctions under the PIPA, as well as to investigate and impose measures for any violations of data protection laws and regulations that infringe upon the rights of data subjects.
The imposition of an administrative sanction must be done in accordance with the Administrative Procedures Act, and the data handler subject to the administrative sanction may object to it by filing an administrative lawsuit or administrative appeal.
South Korea is a member of the Asia-Pacific Economic Cooperation (APEC). In its press release, issued on 27 December 2017, KISA announced that it had filed an application with APEC to be recognised as an accountability agent of the Cross-Border Privacy Rules (CBPR) system.
Meanwhile, the adequacy assessment under the European Union’s General Data Protection Regulation (GDPR) that the Korean Government has been pursuing in consultation with the European Commission appears to have been one of the motivating factors behind the Amendments, as the lack of an independent central data protection authority is known to have been one of the reasons behind the European Commission’s reluctance to proceed with the adequacy assessment.
Finally, the PIPA expressly provides that any local ordinances (or amendments thereto) regulating the processing of personal information that have been issued by local government authorities must be consistent with the legislative purposes of the PIPA. In addition, the MOIS is authorised to provide its formal opinion in response to any such local ordinances that have been issued (or amended) by local government authorities.
Under the PIPA, the MOIS is obliged to promote self-regulation. If an association comprised of companies within a specific industry meets certain requirements, the MOIS will designate that association as a self-regulatory industry group so that it may establish data protection standards suited to its specific industry and require member companies to comply with those standards. As of January 2020, a total of 14 organisations (eg, the Korean Hospital Association, the Korea Association of Travel Agents) have achieved the status of self-regulatory organisations.
In general, NGOs are engaged in various activities such as proposing amendments to data protection laws and regulations, reporting data breaches to the regulatory authorities, requesting criminal investigations into such data breaches, and filing public interest lawsuits against data handlers.
Overall, Korean data protection laws and regulations are some of the most stringent in the world, and the enforcement of the regulations is also relatively aggressive. The Amendments, which incorporate certain aspects of the GDPR, are widely seen as having expanded the scope of purposes for which personal information may be used, while also stipulating heavier penalties for violations.
In addition to the Amendments (explained in more detail in 1.8 Significant Pending Changes, Hot Topics and Issues), which are expected to come into effect on 5 August 2020, there have been the following key developments in the last 12 months:
Some of the key features of the Amendments (expected to take effect on 5 August 2020) have been summarised below.
Amendments to the PIPA and the Network Act
The amendments to the PIPA that have been adopted include, among others:
Amendments to the Credit Information Act
The amendments to the Credit Information Act that have been adopted include, among others:
The Amendments are meaningful in that they provide clearer guidance to data handlers on what constitutes the lawful processing of personal information, and also set forth the standards for the secure processing of personal information. Yet, since the Amendments also impose additional obligations on data handlers and provide for heavier sanctions (eg, introduction of a penalty surcharge) in the case of a violation, the recent changes should not be taken lightly.
As explained above, in 1.1 Laws, data protection is fundamentally governed by the PIPA.
Under the PIPA, all data handlers are required to appoint a Chief Privacy Officer (CPO). The CPO is responsible for overseeing all matters related to the processing of personal information, including compliance with the relevant laws, protection of personal information, and protection of a data subject’s rights.
The PIPA requires data handlers (other than public institutions) to appoint an individual who is: (i) the owner/representative; or (ii) an executive officer (or, if there is no executive officer, the head of the data handler’s department in charge of performing tasks related to the processing of personal information) as their CPO.
Authorised Collection, Use or other Processing
In principle, data handlers are permitted to collect personal information if one of the following grounds exists:
After the Amendments take effect, the PIPA will allow data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject in accordance with the Enforcement Decree of the PIPA (to be promulgated), after considering, for example, whether such use or provision may result in any disadvantage to the data subject and/or whether the data handler has implemented the necessary safeguards to ensure the security of the personal information, eg, encryption. This change is viewed as a reflection of the GDPR’s "compatible use" principle.
Privacy by Design or by Default
Unlike the GDPR, Korea’s data protection and privacy laws do not specify the requirements that will trigger the application of a "privacy by design" or "by default" concept. However, the PIPA, the Network Act, and their respective implementing regulations set forth detailed standards on the technical and managerial measures to be taken with respect to personal information processing systems and network security.
Privacy Impact Analyses
Under the PIPA, only public institutions managing personal information files that meet certain criteria must conduct a privacy impact analysis if there is a concern that a data subject’s privacy may be infringed upon due to the management of his or her personal information file. In addition, although different from a privacy impact analysis, all data handlers (including private companies) must include "matters related to the analysis of risk factors and the establishment of contingency measures" in their internal control plans.
Data handlers are required to disclose their privacy policies, usually through their website. In addition, data handlers are required to establish and implement an internal control plan to prevent the loss, theft, leakage, falsification and alteration of, as well as damage to, personal information.
Data Subject Access Rights
Under the PIPA, a data subject has the following rights.
Right of access to data
A data subject has the right to request access to his or her personal information where it is being processed by the data handler. In principle, the data handler must allow the data subject to access his or her personal information within ten days of receiving such a request.
Right to rectification of errors and deletion
A data subject who accesses his or her personal information has the right to request rectification or deletion of his or her personal information. The data handler must rectify or delete the personal information immediately upon receiving such a request and notify the data subject of the results.
Right to object to processing
A data subject has the right to request suspension of the processing of his or her personal information. Unless there are grounds for refusing such a request, the data handler must suspend the partial or entire processing of the data subject’s personal information without delay.
After the Amendments take effect, the Credit Information Act will recognise the right to data portability of personal credit information (specifically, the right of data subjects to request financial companies and public institutions to transmit their personal credit information to other financial companies). However, no such right to data portability (in the case of personal information) will be recognised under the amended PIPA.
Anonymisation, De-identification, Pseudonymisation
After the Amendments take effect, the PIPA and the Credit Information Act will expressly provide that anonymised data will be excluded from the application of their provisions and will newly introduce the concept of pseudonymised information. Specifically, data handlers will be permitted to process pseudonymised information without the consent of the data subject for purposes including statistical compiling, scientific research, and record preservation for the public interest. For your reference, the amended PIPA will regulate the combining of pseudonymised information managed by different data handlers by stipulating that only professional institutions designated by the PIPC or by the head of a pertinent central administrative agency may combine such pseudonymised information.
Profiling and Automated Decision-Making
After the Amendments take effect, the Credit Information Act will recognise the right of data subjects to challenge (ie, request explanations and raise objections) decisions based on profiling or automated processing. However, no such right will be recognised under the amended PIPA.
Injury or Harm
The concept of "injury" or "harm" is not defined under the relevant laws. However, under the PIPA, a data subject who suffers injury as a result of the data handler’s violation of an applicable law may request compensation for the injury from the data handler. Court precedent dictates that the standard to be applied when determining whether harm occurred is "whether the data subject suffered emotional distress that can be compensated with money."
Sensitive data is defined as personal information regarding an individual’s ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal information that may cause a material breach of privacy (genetic information and criminal records are listed as examples of such "other personal information" in the Enforcement Decree of the PIPA).
To process sensitive data, there need to be statutorily prescribed grounds therefor, or the data handler must obtain the data subject’s express consent, separate from the consent to the processing of other personal information.
The processing of financial data is regulated mainly by the Credit Information Act.
"Credit information" means information prescribed by the Enforcement Decree of the Credit Information Act that is necessary to determine the creditworthiness of the other party to financial transactions and other commercial transactions. This includes:
"Personal credit information" means credit information that is necessary to determine the credit rating and credit transaction ability of an individual, and relates to a living natural person who can be identified through their name, resident registration number, etc. This includes any information from which, if not on its own then when combined with any other information, a specific individual is identifiable.
Health data and medical data qualify as sensitive data under the PIPA and are thus protected under the general data protection and privacy laws. Where individual laws such as the Medical Service Act stipulate rules on the processing and protection of health data, these laws will apply. Medical institutions may collect and use medical records and personal information of a patient without his or her consent if the collection and use is for medical treatment purposes (Medical Service Act, Article 22).
The Communications Privacy Protection Act (CPPA) governs the secrecy of communications and conversations. Specifically, the CPPA prohibits anyone from screening mail, wiretapping telecommunications, providing communication records, or recording/listening to private conversations between third parties except as permitted under the CPPA, the Criminal Procedure Act, or the Military Court Act. In addition, court approval is required, in principle, to carry out wiretapping of telecommunications or provision of communication records to third parties. The Supreme Court has previously ruled that the term "wiretapping" should be interpreted as "acquiring/recording the contents of telecommunications or directly interfering with the transmission/reception of telecommunications on a real-time basis" and that this term should not apply to the content or records of telecommunications that have already been transmitted/received. However, the Network Act provides that "no person may damage any data of third parties that is processed, stored, or transmitted via an information and communications network or infringe, misappropriate, or divulge any secrets of third parties". Consequently, the contents of telecommunications that have already been transmitted/received will be separately protected by the Network Act.
Children’s or Student Data
If data handlers and online service providers seek to process the personal information of children under the age of 14, they are required to obtain the consent of the children’s legal guardians. In addition, those legal guardians are authorised to exercise the child’s rights as a data subject under the PIPA and the Network Act. Furthermore, ICSPs are required under the Network Act (following amendments which took effect on 25 June 2019) to verify (in accordance with methods prescribed by the Enforcement Decree of the Network Act) the authenticity of the consent provided by legal guardians for the processing of personal information of children under the age of 14.
Educational or school data is regulated not only by the PIPA, but also the Education Framework Act, Elementary and Secondary Education Act, and the Rules on the Operation of the Infant Education Information System and Education Information System. A student’s personal information, school records and physical check-up records must not be provided to a third party without the consent of the student (if he or she is underage, the consent of the legal guardian) unless allowed under an applicable law. Legal guardians (eg, parents) have the right to view the student information (eg, school records) of the person that is in their care and may also view the computerised data of that person by accessing the educational administration information system.
The PIPA applies to the processing of any employment data to the extent such data constitutes personal information. Therefore, the consent of data subjects is required, in principle, to collect and use such employment data. However, exceptions to this consent requirement are recognised in cases where employment data is collected/used in order to execute and perform an employment contract with the data subject or where such collection or use is specifically permitted or required by law. For instance, employment data may be processed without the consent of data subjects in cases where that processing is necessary to prepare a register of employees as required by the Labour Standards Act.
Other Categories of Sensitive Data
As explained above, information relating to union membership, sexual orientation, political or philosophical beliefs qualifies as sensitive data as defined under the PIPA. Therefore, in order to process sensitive data, there need to be statutorily prescribed grounds therefor, or the data handler must obtain the data subject’s express consent, separate from the consent to the processing of other personal information.
The Standards of Personal Information Security Measures require data handlers to retain and manage records of access to the personal information processing system (by their personal information managers) for a period of at least one or two years in cases where the personal information processing system processes any particular identification data (ie, resident registration numbers, passport numbers, driver’s licence numbers, and alien registration numbers) or sensitive data.
Internet, Streaming and Video Issues
If any browsing data, viewing data, cookies, or beacons can be easily combined with other information to identify specific individuals then such data will be deemed personal information. If this is actually the case, then the consent of data subjects will be required, in principle, to collect and use such data. That said, the Network Act recognises exceptions to this consent requirement in cases where it is seriously difficult to obtain the consent from the data subject in an ordinary manner for an economic or technical reason, and yet, the collection or use of the personal information is necessary for the performance of a contract with the data subject concerning the provision of information and communications services.
The processing of location data is separately regulated by the Location Information Act. If any personal location information is collected for the purpose of location-based advertising, consent for the collection and use of personal location information under the Location Information Act and consent for the collection and use of personal information under the Network Act must be obtained, respectively.
Do not track, and tracking technology
There are no separate laws or regulations on behavioural advertising. The KCC announced the Guidelines on Privacy and Online Behavioural Advertising in February 2017. Although the guidelines do not state that the prior consent of users should be obtained in order to conduct targeted advertising to them, companies engaging in such advertising must, nevertheless, provide notice of the items of behavioural data that will be collected, the methods of collection, the purposes of collection, periods of retention and use, methods through which users may exercise control authority, and methods for providing redress to users who suffer damages. Users will be able to control their exposure to targeted advertisements appearing through web browsers and smartphone applications by using the methods that have been notified to them. In addition, if any personal information is collected in the course of conducting targeted advertising, the consent of users for the processing of such personal information may be required pursuant to Korean data protection laws.
Social media, search engines, large online platforms
Social media, search engines and large online platforms are all information and communications services subject to the Network Act. The Network Act previously contained a provision requiring large-scale ICSPs to verify the identity of users of online bulletin boards, but this provision was found to be unconstitutional by the Constitutional Court of Korea for violating the freedom of expression of users. Under the amended Credit Information Act, the data subject’s consent is not required to process information that the data subject disclosed on a social networking service or other similar platform either by himself or herself, or through a third party.
Addressing hate speech, disinformation, terrorist propaganda, etc
The Network Act prevents the distribution of illegal information such as obscene materials, defamatory information, media content harmful to juveniles, content that divulges a state secret, content which constitutes activity prohibited by the National Security Act, and information relating to speculative acts that are prohibited by law via information and communication networks.
There is no law or regulation which expressly recognises the "right to be forgotten". However, under the Network Act, if information that was provided via an information and communications network for the purpose of being disclosed to the public ends up infringing upon another person’s privacy or damages his or her reputation, the person who was affected in such an adverse manner may request that the ICSP delete such information by explaining how his or her rights were infringed. Furthermore, under the PIPA, a data subject is entitled to request a data handler to delete his or her personal information.
As explained above, data subjects are entitled under the PIPA to request access to their personal information that is being processed by the data handler. However, there are no separate laws or regulations on data portability. After the Amendments take effect, the Credit Information Act will recognise the right of data subjects to request that financial companies and public institutions transmit their personal credit information (ie, right to data portability of personal credit information) to other financial companies.
As explained above, data subjects are entitled under the PIPA to request rectification or deletion of their personal information that is being processed by the data handler. Data handlers must rectify or delete the personal information immediately upon receiving such requests and notify data subjects of the results.
The Amendments stipulate that the various rights under the PIPA that data subjects are entitled to exercise, with respect to the processing of their personal information, will not apply to the processing of their pseudonymised information.
Under the Network Act, the recipient’s express prior consent is required for the transmission of commercial advertising information through electronic means (eg, mobile phone, email). However, an exception to this consent requirement is recognised if the sender has directly collected the recipient’s contact information on a previous occasion where a transaction for goods or services was carried out between the two parties and intends to send the recipient commercial advertising information regarding the same type of goods or services that were previously exchanged between them within six months of the date of their previous transaction.
There is no law or regulation in Korea that governs behavioural advertising in particular. However, the collection and processing of cookies and behavioural data, and information necessary for conducting behavioural advertising, will be subject to notice and consent requirements for the processing of personal information if such information can be used to identify specific individuals.
Privacy in the workplace is governed by the PIPA.
As a general rule, employee monitoring is only permitted in cases where necessary consent has been obtained under the PIPA, the Network Act, and the CPPA. It should be noted, however, that pursuant to a decision by the Supreme Court of Korea, a limited exception to the foregoing consent requirement may be recognised in cases where a company possesses a justifiable reason (eg, reasonable suspicion that confidential information may be being leaked) for conducting employee monitoring.
The Act on the Promotion of Workers' Participation and Co-operation provides that an employer with 30 or more full-time workers must establish a labour management council and that the labour management council must be consulted with in order to "install employee surveillance systems/facilities within the workplace".
Under the Act on the Protection of Specific Crime Informants, employers are prohibited from dismissing or imposing any disadvantages on any of their employees for having reported a crime. In addition, the Protection of Public Interest Whistle-Blowers Act is applicable to "public interest whistle-blowing", which is the reporting of a violation of a public interest (ie, certain illegal acts that infringe on the health and safety of the public).
There is no law or regulation that expressly provides that e-discovery will be excluded from the application of the PIPA. Consequently, there is a risk of violating the PIPA if any personal information is provided to the opposing party of a litigation without the consent of data subjects during e-discovery. The Supreme Court of Korea has previously ruled that a party who is the subject of a document production order issued by a court may not rely on consent requirements under the PIPA to refuse to comply with such a document production order.
As a general principle, the PIPA provides that personal information must only be collected to the minimum necessary extent to achieve the purposes of processing and that data handlers shall bear the burden of establishing whether, in fact, personal information has actually been collected to the minimum necessary extent. Therefore, if an employer collects the personal information of one of its employees ,without consent, for the purpose of performing an employment contract with the employee, then the employer will bear the burden of establishing that it has collected only the minimum necessary amount of the employee’s personal information to perform that employment contract.
Legal Standards for Regulators
The MOIS and KCC may request that data handlers submit explanatory materials in response to alleged violations of the PIPA and Network Act, respectively, and may jointly inspect data protection compliance levels of data handlers in conjunction with the relevant central government agency in order to prevent, and effectively respond to, security incidents involving the leakage of personal information. The MOIS and KCC may also impose administrative sanctions in the form of corrective orders, administrative fines, or penalty surcharges upon finding any violations of the PIPA and Network Act, respectively.
Potential Enforcement Penalties
Regulators such as the MOIS and KCC may impose various administrative sanctions such as corrective orders, administrative fines and penalty surcharges (up to 3% of the related sales revenue) for violations of respective laws and regulations. Additionally, public prosecutors may investigate any violations that are also subject to criminal punishment.
After the Amendments take effect, data handlers may face a penalty surcharge of up to 3% of their entire revenue for violating any provisions of the PIPA related to the processing of pseudonymised information.
Leading Enforcement Cases
On 22 November 2019, the KCC imposed a penalty surcharge of KRW1.852 billion on an e-commerce business for exposing, on repeated occasions, the personal information of 20 users, who had previously registered for its service, to other users who were registering for the same service. In addition, the KCC announced that, until it established formal guidelines on this issue, its basic policy would to be to refer all business operators who were the subject of personal information leakage for criminal prosecution.
Under the PIPA and Network Act, data subjects may claim damages against data handlers for privacy or data protection violations and data handlers may not avoid liability in such cases unless they can establish that such violations were not caused by any negligence or wilful misconduct attributable to themselves.
The PIPA also contains statutory and punitive damages provisions. Thus, a data subject whose personal information has been lost, stolen or leaked may claim statutory damages of up to KRW3 million if there has been any negligence or wilful misconduct on the part of the data handler. In addition, a court may order a data handler to pay up to treble the amount of damages suffered by a data subject as punitive damages.
After the Amendments take effect, the maximum amount of punitive damages under the Credit Information Act that may be imposed on financial companies and other credit information handlers in connection with the leakage of personal credit information due to their intentional or grossly negligent acts or omissions will be increased to five times (from the current three times) the amount of proven damages.
Korean data protection laws allow for the filing of class action lawsuits by data subjects affected by security breaches (including personal information leakages) under certain limited circumstances. Under the PIPA, data handlers may request that the dispute mediation committee mediate class actions in certain cases permitted by the Enforcement Decree of the PIPA where the damages or the infringement of privacy suffered by data subjects are identical or similar. Furthermore, consumer organisations and non-profit organisations may petition a court on behalf of data subjects to suspend or prohibit any infringing activity by a data handler in the event such a data handler refuses to participate in class action mediation or accept the results thereof.
On 25 July 2019, the Supreme Court of Korea affirmed a lower court’s ruling which found that a script writer of a radio programme could not be deemed a "data handler" (as defined under the PIPA) based on the mere fact that the individual in question possessed the authority to access personal information files that were being administered by a third party.
On 1 November 2019, the Seoul High Court affirmed the KCC’s decision to impose a penalty surcharge of approximately KRW4.5 billion on an e-commerce business in connection with the leakage of personal information after reasoning that the amount of "related sales revenue" (serving as the basis for the imposition of penalty surcharges) should not be limited to the amount of profit or revenue that was actually generated by the company’s violative activity.
Under the Criminal Procedure Act, search and seizures must be, in principle, conducted pursuant to a court-issued warrant. In addition, under the CPPA, independent judicial approval is required, in principle, to carry out wiretapping of telecommunications or to request the provision of communication confirmation data to third parties. However, if a specific law or regulation is applicable, government authorities may request information relevant to investigations without obtaining independent judicial approval.
The Act on Reporting and Using Specified Financial Transaction Information (ARUSFTI) and the Act on Anti-Terrorism for the Protection of Citizens and Public Security (Anti-Terrorism Act) regulate financial transactions related to money laundering and the financing of terrorism.
The PIPA only allows the provision of personal information to third parties without consent in cases where such provision is: (i) conducted by a public institution to investigate a crime or issue/maintain an indictment; or (ii) specifically required or permitted by another law.
The Anti-Terrorism Act permits the National Intelligence Service (NIS) to collect entry/departure data, financial transaction data and communication records of terrorism suspects but requires that collection to be carried out in accordance with procedures prescribed by applicable laws such as the Immigration Act, the Customs Act, the ARUSFTI, and the CPPA. In addition, the Anti-Terrorism Act also permits the NIS to request that data handlers submit the personal information and location information of terrorism suspects and conduct surveillance of terrorism suspects in order to collect information necessary for anti-terrorism operations.
Data collection and surveillance activities pursuant to the Anti-Terrorism Act may only be conducted on "terrorism suspects", meaning "a member of a terrorist group (as designated by the UN), or a person who has propagated a terrorist group, raised, or contributed funds for terrorism, or engaged in other activities of preparing, conspiring, propagandising, or instigating terrorism, or where there are reasonable grounds to suspect that a person has performed such activities". In addition, the counterterrorism centre has been established under the prime minister’s office to monitor abuses of authority by the NIS and a counterterrorism human rights protection officer has been assigned to the national counterterrorism commission.
Personal information may, exceptionally, be transferred to a foreign government or international organisation without the consent of the relevant data subjects in cases where that transfer is necessary for the performance of an international treaty or convention. In all other cases, the consent of data subjects is, in principle, required for the collection/transfer personal information even if such collection or transfer is being requested by a foreign government.
Korea does not participate in a Cloud Act agreement with the USA. Furthermore, the Act on the Development of Cloud Computing and Protection of its Users (Cloud Computing Act) expressly provides that a cloud computing service provider may not provide user data to a third party or process user data for a purpose other than for the provision of cloud computing services without consent, except pursuant to a submission order or warrant issued by a Korean court.
Although the co-operation of telecommunications business operators is generally required in order for investigative authorities to execute search and seizure warrants or to carry out wiretapping activities, there remains controversy as to whether telecommunications business operators are legally obliged to provide their co-operation in such cases.
In a Supreme Court decision involving whether an internet portal operator’s provision of communication records pursuant to the Telecommunications Business Act (TBA), upon the request of investigative authorities, infringed upon the privacy rights of data subjects, the Supreme Court held that, in the absence of special circumstances, the internet portal operator should not be liable to data subjects for any damages suffered if their communication records were provided in response to a lawful request made by investigative authorities in connection with an investigation.
However, under the PIPA, the consent of data subjects is required to conduct transfers of personal information constituting a provision whereas no such consent is required for transfers of personal information that constitute outsourcing.
As explained above, the consent of data subjects is required, in principle, to conduct international data transfers from Korea. Furthermore, both the PIPA and the Network Act prohibit the execution of international data transfer agreements that violate any provisions thereunder.
No government notifications or approvals are required in order to transfer personal information abroad.
In principle, Korean data protection laws do not prescribe any data localisation requirements but there may be cases where a certain degree of data localisation is required by a sector-specific law. For example, under the Regulation on Supervision of Electronic Financial Transactions (RSEFT), finance companies headquartered in Korea must have their data centre and disaster-recovery centre located in Korea. Notwithstanding the foregoing requirements, if cloud computing services are used pursuant to the RSEFT, then the equipment and facilities of the relevant cloud computing service providers are permitted to be located abroad so long as such equipment and facilities do not process any particular identification information (ie, RRNs, passport numbers, driver’s licence numbers, and alien registration numbers) or personal credit information. The RSEFT does not explicitly prohibit finance companies that have established data centres and disaster-recovery centres in Korea from transferring the same data abroad.
There is no law or regulation in Korea that requires software code, algorithms or similar technical detail to be shared with the government.
There are no special rules applying to organisations collecting or transferring personal information in connection with foreign government data requests, foreign litigation proceedings or internal investigations. Therefore, under Korean data protection laws, personal information may only be transferred to a foreign government or international organisation without the consent of data subjects in cases where such a transfer is necessary for the performance of an international treaty or convention, or where such transfer is specially permitted under the Act on International Judicial Mutual Assistance in Civil Matters or the Act on International Judicial Mutual Assistance in Criminal Matters. Otherwise, the transfer of personal information in connection with foreign government data requests, foreign litigation proceedings or internal investigations requires the consent of the data subject.
There are no particular “blocking” statutes in Korea related to privacy or data protection.
Big Data Analytics
As explained above, after the Amendments take effect, data handlers will be permitted under the PIPA to process pseudonymised information without the consent of data subjects for purposes including statistical compiling, scientific research, and record preservation for the public interest. This latest development is seen as establishing the statutory basis in Korea for conducting big data analytics going forward.
There is no law or regulation in Korea that governs automated decision-making in particular. For your information, the amended Credit Information Act recognises the data subject’s right to challenge an automated decision, and defines "automated decision-making" as "a credit information company’s or other’s act of evaluating a credit information subject by processing the individual’s credit information and other data using an information processing device (such as a computer) without actually being involved in the evaluation of the individual".
As explained above, after the Amendments take effect, the Credit Information Act will recognise the right of data subjects to challenge automated decisions.
Artificial intelligence is governed to a certain extent by the Intelligent Robots Development and Distribution Promotion Act (Intelligent Robot Act). For your reference, the Robot Act defines "intelligent robot" as a mechanical device (including software required for its operation) that perceives the external environment on its own, discerns circumstances, and moves voluntarily.
Internet of Things (IoT)
IoT is currently regulated by the TBA. Following recent amendments to the TBA, which were passed on 24 December 2018, the registration requirement applying to anyone wishing to operate a facilities-based telecommunications business was relaxed to a reporting requirement in cases where the contemplated use of facilities-based telecommunications services was ancillary (as prescribed by the Enforcement Decree of the TBA) to the provision of the business operator’s own goods or services and where the business operator was seeking to charge a fee (including cases where such a fee is incorporated into the price of goods or services) for the use of such facilities-based telecommunications services.
The Motor Vehicle Management Act (MVMA) provides that anyone who intends to operate an autonomous driving motor vehicle for the purposes of testing or research must obtain a temporary operation permit from the Ministry of Land, Infrastructure and Transport (MOLIT) after meeting legally prescribed safety requirements for the safe operation of such a vehicle.
The facial features of individuals are treated as personal information and therefore, the processing of such data for facial recognition purposes will be subject to general requirements under Korean data protection laws applying to the processing of personal information. In addition, the facial features of individuals may constitute biometric data (as more fully explained below) if it is processed for facial recognition purposes.
The Standards of Technical and Managerial Security Measures for Personal Information issued under the Network Act define "biometric data" as "fingerprints, facial features, eye features, voice, handwriting, and any other data related to physical or behavioural characteristics that can be used to identify a specific individual’" The Network Act, and various regulations issued thereunder, require ICSPs to obtain the consent of users prior to accessing biometric data stored on users’ mobile devices and further require such data to be encrypted prior to being saved.
The processing of (personal) location information by location-based service providers will be subject to the Location Information Act. Specifically, any person that wishes to operate a location information business that collects personal location information for provision to a location-based service business must obtain permission from the KCC. Furthermore, any person that wishes to operate a location-based service business that processes personal location information must file a report with the KCC. Under the Location Information Act, any person that wishes to collect, use or provide location information pertaining to an individual or moveable object must, in principle, obtain the consent of the individual or owner of the moveable object.
The Drone Utilisation Promotion and Foundation Establishment Act (Drone Act) is scheduled to take effect on 1 May 2020. Under the Drone Act, drones may be classified as unmanned aerial vehicles or unmanned aircraft as defined under the Aviation Safety Act. The Aviation Safety Act imposes various restrictions on the operation of unmanned aerial vehicles (eg, filing reports based on vehicle weight/purpose, restrictions on operating vehicles in densely populated areas and during the night).
The PIPC is responsible for establishing basic protocols for data protection, co-ordinating opinion on data processing by public institutions, and conducting data privacy impact assessments.
As explained above, the KCC imposed a penalty surcharge of KRW1.852 billion on an e-commerce business for exposing, on repeated occasions, the personal information of 20 users who previously registered for its service to other users who were registering for the same service.
As explained above, the KCC may impose a penalty surcharge (up to 3% of the related sales revenue in accordance with applicable regulations) for any data protection violations that are detected in conjunction with the leakage of personal information. The KCC has recently announced its intention to impose stiffer penalties (ie, penalty surcharges) for violations of the Network Act.
On 2 August 2019, the Supreme Court of Korea affirmed a lower court’s decision that awarded KRW100,000 in compensatory damages to each data subject affected by a leakage of personal information that occurred at a credit card company. In addition, please refer to the discussion of class actions in 2.5 Enforcement and Litigation.
In general, due diligence (to assess compliance with Korean data protection laws) is conducted during corporate transactions and, in certain cases, representations and warranties are provided by parties to contractually stipulate compliance with applicable data protection requirements.
Under the Electronic Financial Transactions Act, financial companies and electronic financial businesses are required to notify the FSC without delay if they are affected by an electronic intrusion incident that disrupts or disables electronic financial infrastructure.
There are no major issues in Korean data protection and privacy not already covered in this chapter.
South Korea is seeing two sets of important developments in the data regulation sphere. At the start of 2020, the national legislature passed a set of major amendments to the key data privacy statutes, including the Personal Information Protection Act (PIPA) and the separate law governing credit data, which promise to free up the collection and processing of data in the “Big Data” context, to a large extent. Set to take effect in August 2020, the changes to the regulatory framework also include the centralisation of data regulation functions in a single agency, a move mainly aimed at obtaining a European Commission “adequacy decision” for GDPR purposes so as to ease EU-Korea data flows.
At the same time, data requirements and monitoring were stiffened in 2019, in important respects, and active regulatory oversight seems likely to continue through 2020. Requirements meriting particular care in light of warning flags from 2019 include the appointment of a local data privacy representative (in the case of major offshore websites), and requirements relating to data security officers and liability insurance or reserves. Existing requirements surrounding app access to smartphone folders have also seen active monitoring since mid-2019, in a trend that is likely to continue. These developments underscore the fact that local regulators have significant latitude to pursue data compliance issues offshore – and are willing to do so.
Major Changes to Regulatory Framework
On 9 January 2020, the National Assembly passed a slate of changes to the core data protection statutes, mainly the PIPA and the Credit Information Protection Act (CIPA, critical for the financial sector), which will take effect on 5 August 2020. The amendments will newly recognise the concept of pseudonymised information, defined in a way similar to the analogous concept under GDPR, and will to a large extent free up the generation and use of such information. Other changes to PIPA and CIPA will help clarify and partly relax constraints on the permitted usage and transfer of customer data (without need of further consent). CIPA as amended will introduce a systematic framework for a variety of credit data-based services, and include provisions for data portability. Also, under PIPA, monitoring, policy-making and other regulatory functions will be newly centralised in the Personal Information Protection Commission (PIPC).
Note that many of the specific concepts and standards involved in these amendments are yet to be defined by further regulations, primarily a Presidential Enforcement Decree, which should come out by mid or late July 2020 (shortly before the changes take effect).
Pseudonymised information: scope defined
Under the amended PIPA, pseudonymised information is defined as information that is pseudonymised so that it is not identifiable (to a specific individual) without using (or combining it with) additional information to restore it to its original state. Pseudonymised information should include information that has been de-identified through processes such as hashing, though it is not quite clear under the new rules whether it would cover, for example, AdID data and certain other types of data in widespread use.
The CIPA applies to “credit information companies etc” (covering virtually all financial institutions), and further defines a category of “pseudonymised personal credit information”, which is credit information (including bank records, financial records, etc) meeting non-identifiability criteria that correspond to the PIPA criteria (above).
What will not qualify as pseudonymised information, under PIPA or CIPA, is personal information that, even if not identifiable on its own, can be “easily [or readily] combined” with other information so as to be identifiable (to a specific individual), where the question of whether information can be “easily combined” will take into “reasonable consideration” factors such as the feasibility of obtaining the other information at issue, and the time and expense involved.
One question to be determined is the point at which de-identification processes go so far as to result in anonymised information rather than pseudonymised information, which is outside the reach of the PIPA or CIPA restrictions altogether. When it comes to credit information, CIPA will provide a regulatory avenue for confirming due classification of information as anonymised. But there is no corresponding process under PIPA for obtaining clarity on this point, for personal information other than credit information.
Pseudonymised information: permitted uses
PIPA, as amended, will allow pseudonymised information to be used (without need of the individuals’ consent) to generate statistical information, or for scientific research or public record-keeping. The amended CIPA likewise allows pseudonymised personal credit information to be used for such purposes. Going further, CIPA specifically provides that this permitted scope includes the use of such credit information in statistical data production and research for business purposes, such as commercial market research, with the evident aim being to help spur the growth of data-driven businesses in the financial sector.
In contrast, PIPA does not expressly allow for the use of pseudonymised information, in general, for business or commercial purposes. The Ministry of Interior & Safety is mainly responsible in this regard, and has indicated its view to be that a commercial purpose – in statistical data production and research from pseudonymised information – is permitted under PIPA (as one would infer from CIPA), but there is room for controversy on this point.
The compiling of pseudonymised information (from different data controllers) will be permitted for designated institutions, including the PIPC and other central government agencies (or, in the case of pseudonymised personal credit information, specialised data institutions designated by the Financial Services Commission). The re-transfer of data so compiled will be subject to further requirements. The amended rules are not quite clear on some related aspects, at present, such as the possible scope for consolidative processing by a credit information company.
For data protection purposes, PIPA and CIPA will require a range of security measures in relation to pseudonymised information, including measures to safeguard the added data necessary for restoring the data to its original state, prevent processing that result in identification, and restrict identifiers generated in the course of processing.
Personal information: more latitude for use
Permitted use relative to original purpose of collection: the PIPA and CIPA amendments clarify several aspects of permitted scope for the use of personal information by the original data collector/controller (without need of further consent from the data subject), and tend to widen that scope.
First, PIPA will now expressly permit personal information to be used (without further consent) “within a scope reasonably related to the original purpose of collection” of the information, provided this is subject to conditions including no detriment to the data subject, security measures being taken, and some other criteria. (These rules, modelled after parts of GDPR Articles 5 and 6, will in any case need further definition, which is awaited in ensuing regulations.) At the same time, under CIPA, the use of personal credit information will be permitted "for purposes that do not conflict with the original purpose of the collection", subject to further conditions similar to those under PIPA. There is an evident discrepancy between PIPA and CIPA in this regard – it is not difficult to imagine proposed uses seeming to fall within one scope but not the other. But for now the difference stands.
“Entrusting” of personal information: the amendments resolve an ambiguity in the context of the “entrusting” of personal information – ie, basically, transferring personal information (previously validly collected) to a third party in order to help carry out the purpose of the original data collection (such as in a transfer for data storage). Under the current PIPA, entrusting can already be done without further data subject consent (though subject to required disclosures), but CIPA lacked this feature. Now amended, CIPA clarifies that financial institutions likewise may “entrust” personal credit information without further consent (but note that special restrictions apply to “personal unique identification information”, such as national ID numbers).
“Supplying” of personal information: data subject consent is generally required for the “supply” of personal credit information to a third party – ie, the transfer of personal credit information for the transferee’s own purposes (separate from those of the original data collecting financial institution). However, CIPA as amended recognises several kinds of exceptions, including situations depending on factors such as the relationship between the original purpose of collection of the data and the purpose of the transfer, the context of the original data collection, the impact on the data subject, security aspects, and some other factors. These somewhat vague qualitative criteria seem unlikely to gain clarity before the amended law takes effect.
Regulatory structure for new credit data-based services
Offering structure for a looming array of new services, CIPA will divide up credit inquiry business into several segments, such as personal credit assessment and corporate credit inquiry, and usher in regulations governing entry into each segment. The personal credit assessment segment, for one thing, will include among its sub-categories an ”expert personal credit rating service”, able to make use of non-financial data (items like telecom and utility charges). Similarly, CIPA introduces a concept of personal credit information management businesses, which, subject to relatively modest entry requirements, may furnish personal financial data management and investment-related advice, and offer to assemble credit information and supply it to the data subjects.
Individual data subjects will enjoy a degree of portability under CIPA, including rights to require financial institutions to transfer their personal credit information to various kinds of credit data management companies and other financial institutions, or to the data subjects themselves. There will also be a right to respond to automated assessments, including a right to require the financial institution to explain or correct the results. In this respect, clearly the new framework may necessitate a host of further rules and standards, probably involving considerable expense and extensive technical adaptation.
Centralised role of Personal Information Protection Commission
Data protection oversight is currently divided between the Ministry of Interior & Safety and the Korea Communications Commission (KCC), but the functions will all be committed to the PIPC, a nine-member body (situated under the Prime Minister) comprising government officials and law and policy experts. Among its responsibilities, the PIPC is to monitor and police data privacy compliance, and publish compliance guidelines and recommended practices, including model terms for privacy policies. The change in administrative structure is partly to meet GDPR standards for an “independent regulator”, so as to help obtain an “adequacy” decision from the European Commission.
The PIPA and CIPA amendments portend a large expansion in personal data processing and usage, and the proliferation and rapid growth of “Big Data” based services. That said, it is important to remember that the statutes are yet to be supplemented with a variety of specific rules, and further fleshing-out of operative conditions and criteria. The changed framework also poses substantial ambiguities (some of them noted above), which may persist even after the amendments take effect in August 2020. Going forward, the situation will merit close monitoring of the determinations of the PIPC, among other things.
Local Data Privacy Representative and Other Requirements Applicable to Major Online Services; Active Monitoring by Regulator
Operators of major online services – meeting certain thresholds of scale such as revenues or local users – will need to be mindful of significant local requirements relating to data protection, pursuant to two sets of amendments to the Act on Promotion of Information and Communications Network Utilisation and Data Protection, Etc. (IT Networks Act) that took effect in March and June 2019. Among the “IT service providers” subject to the statute (online marketplaces, social media sites, aggregators, virtually any other online or app services), major operators are required, among other things, to designate a local data privacy representative (in the absence of a business presence in Korea), to appoint a chief information security officer serving exclusively in that role, and to maintain liability insurance (or a financial reserve) against fallout in case of a data incident.
Since mid-2019, regulators (primarily the KCC) have been actively scrutinising prominent websites and reaching out to their operators. There are signals that enforcement steps, including moves to impose administrative fines, may follow in 2020 in cases of continued non-compliance.
Note that these requirements will remain in place notwithstanding the PIPA and CIPA amendments discussed in the preceding section. (Under concurrent amendments to the IT Networks Act, the local data privacy representative requirement will be, basically, transplanted from that statute over to PIPA, but the requirement will not vary in substance.) Also, from August 2020, in principle, monitoring and enforcement are to come under the authority of the PIPC, discussed above, instead of the KCC.
Local data privacy representative: online services that cater to Korean users and, while lacking a local presence, meet certain revenue or local user thresholds are required to appoint a local representative for data protection purposes. Basically, an online service, though operated offshore, may be subject to the IT Networks Act based on criteria of local nexus, such as Korean language content offerings, user numbers, and ad-taking from Korea. If it does not have a direct local presence, the offshore business must appoint a local person or entity as a representative for data regulatory compliance purposes, if the business meets any of several thresholds of scale, such as having KRW10 billion in IT-related Korean revenue in the preceding year or 1 million daily average Korean users/visitors (who are registered, or whose personal information is otherwise saved) during the last three months of the previous year.
Early in 2019, the KCC started surveying compliance in this regard, and since May 2019 the agency has been issuing notices to many of the leading websites that are suspected to satisfy one or more of those thresholds. In September 2019, the KCC indicated that it would, in 2020, follow up with plans to stiffen enforcement efforts, potentially including efforts to impose administrative fines on the offshore operators (with an administrative fine in the first instance being up to KRW20 million – around USD18,000).
Exclusive-role chief information security officer: under the rules that took effect in June 2019, a large-enough IT service provider must appoint a person with sufficient data security training or IT experience as chief information security officer (CISO – an executive or officer level position), to serve solely in that role at the company. The requirement is triggered at certain thresholds, such as where the IT service provider has KRW5 trillion (around USD4.5 billion) (or more) in total assets, or has KRW500 billion (around USD450 million) in assets and, in Korea, either KRW10 billion in annual revenues from telecom services or more than 1 million daily average users. (In order for the CISO requirement to apply, as with the local data privacy representative requirement, conceptually the operator should have a sufficient nexus to Korea, such as in significant local user numbers.) The requirement was made subject to a grace period till the end of 2019. Policing efforts are expected to go forward in 2020.
Insurance or reserve against data incidents: regulators are also expected to follow up on a requirement, in effect since mid-2019, of maintaining insurance, or setting aside a reserve, to cover liability in case of a data breach or other such incident that causes harm to Korean users. The requirement (like the other requirements above) applies to IT service providers having a sufficient nexus to Korea, but the applicable amounts follow a scale depending on the number of users and total revenue. There is ambiguity surrounding the terms “users” and “total revenue”. However, at any rate, the largest websites, of global reach, should typically be subject to a minimum insurance or reserve of KRW1 billion, or approx. USD900,000. The KCC observed a grace period till the end of 2019, but announced it will start examining compliance in 2020.
Smartphone App Compliance with User Permission Requirements; Monitoring by Regulator
In March 2019, the KCC launched an effort to check up on popular smartphone apps' compliance with requirements for access to data stored and functions installed in users’ phones. Since then, the KCC – together with its monitoring arm the Korea Internet & Security Agency (KISA) and a contractor called “Unpeople” – has been in the process of reviewing compliance by app service operators, including those located overseas. Starting in September 2019, multiple waves of cautionary emails flagging infractions have gone out, to hundreds of offshore app operators.
The main issue is the various disclosure requirements that an app provider must satisfy when seeking Korean users’ permission to access device folders (such as contacts), pursuant to the IT Networks Act and related rules. Common infractions involve, for example, a requirement to denote each access item (such as contacts) as “mandatory” or “optional” (in terms of need, for enabling the app’s main function), and also to state the reason for the access, if only in a few words.
The email notices to app providers will typically specify the infraction(s) detected, and request a reply stating the “corrective” steps that the app providers intend to take, such as to modify descriptive text in the app store. The emails thus far, from Unpeople, have not had binding force, and do not impose a legal obligation to respond. They are in the nature of preliminary warnings. In procedural terms, Unpeople or KISA may send several notices to a given app provider, and, in case of inaction, they may “escalate” to the KCC, which may then take more definitive steps. Such notices seem likely to continue going out in intermittent waves.