In a previous blog post, I have discussed certain updates to Korea's data privacy laws. The updates are in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach. Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be successful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
One of principle revisions of Korea' s data privacy regulations is the recent amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection ( "ICNA"). The revisions have potential major implications on those it regulates such as information service providers ( "ICSPs") or communication service providers. ICSPs include numerous online service providers including e-commerce companies, website operators, online content providers as well as the traditional telecommuncations service providers and communication companies.
There are many changes to ICNA but the major changes are as follows:
1. Collection of information on privacy- ICSPs are limited from collecting more than the absolute minimum level of privacy related information from users, regardlesss of whether they obtain the user's consent or not.
2. Report of Data Breach- there is a 24 hour deadline in reporting a data breach to the Korea Communications Commission ( "KCC").
3. Penalties- the penalties for failure to destroy personal information have increased. ICSPs must implement necessary measures to destroy personal information of users so it may not be restored. Failure to do so may result in criminal prosecution.
4. Statutory Damages- statutory damages for ICSPs' failure to adequately protect personal information from being stolen, hacked, lost or leaked has increased to $2,900 USD in case of willful or negligent misconduct.
5. Increased Administrative Penalties- Administrative penalties have increased in the case of ICSPs who collect or process personal information without the users consent. The penalty has now increased to 3% of annual turnover. There was a cap of USD 95,000 on the administrative penalty in case a data security breach occurred due to the ICSP's failure to implement adequate safeguards to protect users' personal information. The cap has been lifted which may now expose ICSPs to increased litigation.
6. Chief Privacy Officer- ICSPs who meet certain criteria are required to designate a Cheif Privacy Officer ( CPO) and report such designation to the Minister of the Ministry of Science, ICT & Future Planning. The criteria to determine whether an ICSP must designate a CPO is based on a minimum number of users and employees.
7. Direct Marketing- No one, whether an ICSP or not, can engage in the direct marketing of personal information by electronic means without having an opt-in consent in place from the potential recipient.
Major Concerns
- The legal risks associated with violations of ICNA and other personal privacy related statutes have significantly increased as stricter regulations now impose heavier fines including criminal prosecution.
- The ICNA provides for lighter sanctions or even exemption from sanctions if the ICSPs have carried out or performed their duties in "Good Faith". For companies to take advantage of this they need to immediately implement reasonable internal procedures and standards to show compliance with the new regulations.
- Management is presumed to have a greater awareness of data privacy breaches as well as the stricter duties regarding the collection, usage and processing of personal information. Therefore, the ICSPs now have the burden of proof to prove lack of negligence of willful misconduct related to data breaches.
As with the other changes in Korea's personal information and data privacy laws, we will see if the recent revisions and amendments have the intended impact. What is apparent is that the new amendments place a heavy burden on ICSPs which will likely result in more litigation and greater penalties and fines.