Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It first amended the PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising. Recently, additional major amendments to PIPA were passed by the National Assembly of Korea because of Big Data /AI /IoT concerns.
The amendments to the PIPA that have been adopted include: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA. A short summary follows:
1. Key Provisions of the Amended PIPA
(1) Clarification of the definition of “personal information”
As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.
(2) Introduction of “pseudonymized information”
The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.”
The amendment stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.
(3) Use of personal information within the scope reasonably related to the original purpose of the collection
The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject. The amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection.
(4) Exclusion of anonymized information from the application of the PIPA.
The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.
(5) Transfer of the Network Act’s personal information-related provisions to the PIPA.
The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA.
.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party.
Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing. Under the current PIPA, the data subject’s consent is not required for Outsourcing.
The new amendments to PIPA are meaningful in that they help provide clearer guidance to data handlers on what constitutes the lawful processing of personal information as well as setting forth standards for the secure processing of personal information. It is expected that the amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations shall take place in the upcoming months.