Recently, Korea has added new updates to its privacy laws, including the amended version of the Network Act (the “Amended Network Act”) and the amended version of its personal data privacy law- the PIPA (the “Amended PIPA”) . Both the Amended PIPA and the Amended Network Acts (collectively “Amended Acts”) contain a number of far-reaching amendments that raise the overall level of regulatory requirements applicable to information and communication service providers (“ICSPs”) and data processors.
The provisions of the Amended Acts with the most significant implications include the following:
- Amended Network Act
- From March 23, 2017, in the event any ICSP (such as, a smartphone app developer) needs to access certain data stored on or functionality of a user’s smartphone, it must obtain prior informed consent from the user. For this, the ICSP must notify the user that the ICSP needs certain access authority (“Smartphone Access Authority)
- Further, ICSPs may not refuse to provide the subject services to the user based on the fact that the user did not consent to granting the developer the Optional Authority.
- On the other hand, in this relation, the developer/supplier of a mobile handset’s basic operating system, the manufacturer of a mobile handset, and the developer/supplier of a mobile handset’s software are required to implement necessary measures to protect the personal information of the user – including, on their products, having in place a process pursuant to which the user may provide or withdraw his/her consent to granting the Smartphone Access Authority to ICSPs.
- (2) Stricter Requirements For Outsourcing And Re-outsourcing The Processing Of Personal Information
- In the event the ICSP wishes to outsource the processing of personal information to a third-party service provider (the “Outsourced Processor”), it must enter into a written arrangement with the Outsourced Processor. The Outsourced Processor may not contract out the processing of the personal information to another third party unless it has obtained the consent of the ICSP.
- (3) Protection Of Personal Information That Is Transferred Across National Borders
- From September 30, 2016, the user’s consent must be obtained for the following types of cross-border transfer of personal information: (a) provision of personal data to a third party (for the third party’s benefit) (including cases where the personal information of Koreans is accessed from abroad), (b) outsourcing of processing of personal data to the Outsourced Processor, and (c) storage of personal data outside of Korea.
- More importantly, in the event the ICSP transfers personal information across borders without obtaining the subject user’s consent, it may be subject to (i), in case of (a) above, a penalty surcharge of up to 3/100 of the revenue it generated from engaging in such transfer, or (ii) in case of (b) or (c) above, an administrative fine of up to KRW 20 million.
The updates are in response to the credit card scandal of 2014 in which 3 major credit card companies faced a massive data breach. Korean data privacy laws as well as its regulations and guidelines have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes in dealing with the protection of personal data. Whether Korea's new laws and regulations will be successful in stemming the tide of cyber security issues and data privacy breaches remains to be seen.
The revisions and amendments have potential implications on those it regulates such as ICSPs including numerous online service providers including e-commerce companies, website operators, and online content providers as well as the traditional telecommunications service providers and communication companies.
There have been many changes to Korea’s data privacy laws and regulations over the last 2 years including the changes reflected above. Other changes are as follows:
- Collection of information on privacy- ICSPs are limited from collecting more than the absolute minimum level of privacy related information from users, regardless of whether they obtain the user's consent or not.
- Report of Data Breach- there is a 24 hour deadline in reporting a data breach to the Korea Communications Commission (“KCC").
- Penalties- the penalties for failure to destroy personal information have increased. ICSPs must implement necessary measures to destroy personal information of users so it may not be restored. Failure to do so may result in criminal prosecution.
- Statutory Damages- statutory damages for ICSPs' failure to adequately protect personal information from being stolen, hacked, lost or leaked has increased to $2,900 USD in case of willful or negligent misconduct.
- Increased Administrative Penalties- Administrative penalties have increased in the case of ICSPs who collect or process personal information without the users consent. The penalty has now increased to 3% of annual turnover. There was a cap of USD 95,000 on the administrative penalty in case a data security breach occurred due to the ICSP's failure to implement adequate safeguards to protect users' personal information. The cap has been lifted which may now expose ICSPs to increased litigation.
- Chief Privacy Officer- ICSPs who meet certain criteria are required to designate a Chief Privacy Officer (CPO) and report such designation to the Minister of the Ministry of Science, ICT & Future Planning. The criteria to determine whether an ICSP must designate a CPO is based on a minimum number of users and employees.
- Direct Marketing- No one, whether an ICSP or not, can engage in the direct marketing of personal information by electronic means without opt-in consent in place form the potential recipient.
- The legal risks associated with violations of the Amended Acts and other personal privacy related statutes have significantly increased as stricter regulations now impose heavier fines including criminal prosecution.
- The Amended Acts provides for lighter sanctions or even exemption from sanctions if the ICSPs have carried out or performed their duties in "Good Faith". For companies to take advantage of this they need to immediately implement reasonable internal procedures and standards to show compliance with the new regulations. Therefore, ICSPs will have to take action by establishing and actually implementing effective and efficient internal processes and procedures to show compliance with the laws which will include utilization of existing certification programs such as PIPL and PIMS.
- Management is presumed to have a greater awareness of data privacy breaches as well as the stricter duties regarding the collection, usage and processing of personal information. Therefore, the ICSPs now have the burden of proof to prove lack of negligence of willful misconduct related to data breaches.
As with the other changes in Korea's personal information and data privacy laws, we will see if the recent revisions and amendments have the intended impact. What is apparent is that the new amendments place a heavy burden on ICSPs which will likely result in more litigation and greater penalties and fines. Not only must certain ICSPs designate CPOs but regulations in the financial sector now place more liability on CEOs, CPOs and CIOs to comply with data protection laws.