Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It amended PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising.
The updates are in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach. Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be successful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
There have been many changes to Korea’s data privacy laws and regulations over the last 2 years including:
A. PIPA
- Collection of information on privacy- ICSPs are limited from collecting more than the absolute minimum level of privacy related information from users, regardless of whether they obtain the user's consent or not.
- Report of Data Breach- there is a 24 hour deadline in reporting a data breach to the Korea Communications Commission (“KCC").
- Increased Administrative Penalties- Administrative penalties have increased in the case of ICSPs who collect or process personal information without the users consent. The penalty has now increased to 3% of annual turnover.
- Chief Privacy Officer- ICSPs who meet certain criteria are required to designate a Chief Privacy Officer (CPO) and report such designation to the Minister of the Ministry of Science, ICT & Future Planning. The criteria to determine whether an ICSP must designate a CPO are based on a minimum number of users and employees.
B. Cloud Computing
- The Cloud Computing Act which took place in 2015 specifically identifies personal data and seeks to protect the personal data of users. The Cloud Computing Act stipulates that PIPA applies with respect to protecting data of users of cloud computing services that have been stored in the cloud.
- Cloud computing service providers (CCSPs) are required to notify users of any cyber security incident, cloud data leakages and service interruptions. They must also notify the Minister of Science, ICT and Future Planning in the event cloud data is leaked.
- The provision of cloud data to third parties by CCSPs is strictly controlled and upon the expiration of the service agreement between the user and CCSP, the user’s cloud data is to be returned or destroyed.
C. The Network Act
- The Network Act was amended to provide that from March 23, 2017, in the event any information and communications service provider (ICSP) needs to access certain data stored on a user’s smartphone, it must obtain prior informed consent from the user.
- Furthermore, the ISCP may not refuse to provide smartphone services to the user based on the user’s refusal to provide consent to the ISCP to access its data.
- From September 30, 2016 , the user’s consent must be obtained for certain cross border transfer of personal information including : (i) provision of personal data to a third party; (ii) outsourcing of processing of personal data, and (iii) storage of personal data outside of Korea.
- If the CPO of an ICSP becomes aware of a violation of the data protection /privacy laws or regulations, the CPO must take steps to remedy the situation and also report the violation.
D. Online Behavioral Advertising Guidelines
- On February 7, 2017 the Korean Communications Commission (KCC) set forth guidelines on privacy and online behavioral advertising (“Guidelines”) to promote a healthy advertising ecosystem by minimizing the risk of privacy invasion users might experience as a result of being targeted by online advertisers. The Guidelines take effect in July of 2017.
- The Guidelines contain a number of requirements including: (i) transparency in the collection and use of online behavioral data of the users, (ii) the users are guaranteed the right to control exposure to online targeted ads, (iii) the online advertisers must guarantee the security of online behavioral data and (iv) mechanisms giving users the right of redress must be strengthened.
- Online behavioral advertisers must collect only the minimum amount of data necessary to provide targeted ads and cannot collect information of children under the age of 14.
- Online behavioral advertising businesses must retain personal data for only the minimum period necessary to provided online targeted ads and must take measures to destroy the information once the purpose for retaining the information has been achieved.
It is clear that the regulatory trend for data protection in Korea is for the increased accountability for the collection, storage and use of personal information and data. Basically, stricter requirements have been placed on ICSPs, outsourced data processors, financial institutions and credit card companies. Compliance with the new regulations will become very important as more and more penalties and fines are levied against those who fail to comply.