South Korea: Data Protection Update

South Korea has taken data protection very seriously and has implemented a general data protection law: the Personal Information Protection Act, PIPA. Amended in 2016, PIPA places strict requirements on data privacy in sectors such as IT networks, credit card information, cloud computing, and online advertising.

The 2016 amendments were in response to the 2014 credit card scandal when three major credit card companies faced a massive data breach. Korean data privacy laws, as well as regulations and guidelines, have all been tightened in an attempt to prevent a reoccurrence of such a scandal. There will always be a risk of unauthorized access to data unless companies and governmental agencies implement and continuously update risk management processes. There have been many changes to Korea’s main data privacy law, PIPA, as well as to specific industry-related data privacy laws and regulations over the last few years. Some are listed below.

PIPA

1. Collection of information: information and communications service providers, ICSPs, are limited from collecting more than the absolute minimum level of privacy-related information from users, regardless of whether they obtain the user's consent or not.
2. Report of Data Breach: there is a 24-hour deadline in reporting a data breach to the Korea Communications Commission (KCC).
3. Increased Administrative Penalties: administrative penalties for the collection or processing of personal information without the user's consent have been increased. The penalty has now increased to 3% of annual turnover.
4. Chief Privacy Officer: ICSPs who meet certain criteria are required to designate a Chief Privacy Officer (CPO) and report such designation to the Ministry of Science, ICT & Future Planning.

Cloud Computing

1. The 2015 Cloud Computing Act specifically identifies personal data and seeks to protect it. The Cloud Computing Act stipulates that PIPA applies with respect to protecting data of users of cloud computing services.
2. Cloud computing service providers (CCSPs) are required to notify users of any cybersecurity incident, cloud data leakages, and service interruptions. They must also notify the Ministry of Science, ICT & Future Planning if cloud data is leaked.

Act on Promotion and Communications Network Utilization and Information Protection

1. The Network Act was amended to provide that any ICSP must obtain prior informed consent from the user if it needs to access certain data stored on a user’s smartphone.
2. Furthermore, an ICSP may not refuse to provide smartphone services to the user based on the user’s refusal to provide consent to the ICSP to access its data.
3. If the CPO of an ICSP becomes aware of a violation of the data protection/privacy laws or regulations, the CPO must take steps to remedy the situation and also report the violation.

Online Behavioral Advertising Guidelines

1. On February 7, 2017, the Korean Communications Commission (KCC) set forth guidelines on privacy and online behavioral advertising to promote a healthy advertising ecosystem by minimizing the risk of privacy invasion users might experience as a result of being targeted by online advertisers. The guidelines have taken effect in July 2017.
2. The guidelines contain a number of requirements including (i) transparency in the collection and use of online behavioral data of the users, (ii) guaranteed right to control exposure to online targeted ads, (iii) guaranteed security of online behavioral data by online advertisers, and (iv) strengthened mechanisms giving users the right of redress.

It is clear that the regulatory trend for data protection in Korea focuses on increased accountability for the collection, storage, and use of personal information and data. Basically, stricter requirements have been placed on financial institutions and credit card companies. Compliance with PIPA and other regulations will become very important as more and more penalties and fines are levied against those who fail to comply. Other countries in Asia are also increasing or strengthening data protection laws, but that topic requires another blog down the road.