South Korea’s principal data privacy law is the Personal Information Protection Act (PIPA), passed in 2011. It provides the basis for the country’s data protection policies and is enforced by the Personal Information Protection Commission (PIPC). South Korea has been seeking an adequacy decision under the GDPR, and has been reforming the PIPC accordingly to meet the GDPR’s requirements for an independent regulatory body. In 2021, South Korea received adequate jurisdiction status under the GDPR, becoming one of a few Asia Pacific countries to do so.
While the PIPA covers most of South Korea’s basic privacy regulations, other important legislation includes the Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act) and the Credit Information Use and Protection Act. Both of these laws impose important sector-specific regulations on the computer marketing and banking industries and should be considered in conjunction with the PIPA.
Here are some of the highlights of the PIPA:
Individuals must consent to personal information collection and use unless the processing is necessary to execute a contract with the data subject, for public interest purposes, or if the data controller has a legitimate interest that clearly supersedes the rights of the data subject. Despite containing similar legal bases for processing to other data protection laws, the PIPA imposes stricter requirements for using alternative legal bases to consent. For this reason, organizations tend to rely on consent as the legal basis for collecting and processing personal information in South Korea. Recently, South Korea passed reforms which allow pseudonymized data to be used for statistical purposes, scientific research, or archiving without the consent of the data subject, allowing more flexible information use. However, consent requirements remain a barrier to data processing for many organizations.
The data subject has the right to confirm whether their data is being processed, and to request access to that information. Additionally, they have the right to request the correction or deletion of their information. The right to portability exists for credit information and is expected to be added to the PIPA soon.
When providing personal information to third parties abroad, controllers must obtain consent from the data subject that informs them of the purpose of the data transfer as well as the recipient, content of the transfer, and the period of retention of the data. This is not necessarily required for outsourcing the processing of personal information if notice is included in the company’s privacy policies. The PIPA also includes a reciprocity principle which stipulates that data transfers to countries that restrict the cross-border transfer of data may be restricted.
In the event of a breach, the data controller must notify data subjects without delay of when, how, and what information was breached, as well as the steps being taken by the controller to minimize damage. Additionally, the controller must give any advice on steps the data subject can take to limit damage and provide a contact point for data subjects to report damage.
Violations of PIPA may result in a prison sentence of up to 5 years or a fine of up to 50 million won for transferring personal information to a third party without consent or processing sensitive information without separate consent. For obtaining personal information or consent by unlawful means, an individual can be imprisoned for up to 3 years or fined up to 30 million won. In 2021, the PIPC fined Netflix and Facebook $5.6 million USD for violations of PIPA including failing to disclose information about international data transfers, collecting data without user consent, and failing to comply with PIPC requests.
Consent is the legal basis which organizations operating in Korea are most dependent on, and there are much stricter requirements for relying on an alternative legal basis for processing. Unlike most other data protection laws, consent is required for international transfers of personal data, making it critical for companies operating internationally. Since Korea enthusiastically enforces its requirements for consent, it is important for organizations to keep records that serve as evidence of informed, explicit consent. To comply with South Korea’s consumer rights requirements, organizations should ensure that they facilitate transparency and seamless accessibility to user information in their services.
While Korea’s requirements for consent still pose a burden for organizations intending to export or process personal data, several reforms indicate that Korea is open to allowing more flexible data use. Recent amendments to the PIPA have introduced data portability, expanded legal bases for consent, and pseudonymization, giving some indication that Korea might be willing to take further steps to facilitate information flexibility. Nevertheless, organizations should conduct a thorough review of their data flows in South Korea in order to ensure compliance with South Korea’s strict regulations regarding transfers and data processing.
In light of the EU adequacy decision, Korea will be able to import more data from the EU and is likely to be further influenced by the GDPR. South Korea has already faced criticism from the United States and other countries for its restriction of cross-border data transfers on the basis of consent and national security. As the country strengthens its ties with Europe and looks to move toward a data-driven economy, it may look to implement similar changes to the GDPR to allow for more data flexibility. Companies should continue to monitor the country’s data privacy laws as they progress and revise their data protection processes accordingly.