On Thursday, Jan. 14, 2016 the Korea Communications Commission (KCC) issued corrective orders and imposed fines on eight (8) information and communications service providers, including telecommunications carriers and operators of online portal businesses, for failure to expire old user data. The fines totaled W110 million (about US$90,700).
The KCC’s action was based on the amended Art. 16, para. (2) of the Presidential Enforcement Decree (the “Enforcement Decree”) of the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Network Act”), which became effective Aug. 18, 2015. The amendment shortened the legally-permitted retention period for old personally-identifying data from three (3) years to one (1) year from the date a data subject ceases to have an active relationship with a data controller subject to the Network Act.
Establishment of Shortened One-Year Data Retention Limit
Enforcement Decree Art. 16 provides that the data retention period must be not longer than one (1) year, except in the following cases:
- Where a longer retention period is required in order to comply with other Korean laws or regulations; or
- Where the data subject has expressly agreed to a longer retention period.
The amended Enforcement Decree imposes certain new obligations on those data controllers who are information or communications service providers.
In the case of an information or communications service, where a data subject (i.e., a user or subscriber) has not used the service for a specified length of time — which defaults to one (1) year except if the data subject has agreed to a longer retention period — upon the expiration of the data retention period the service provider is required to immediately either destroy or archive the old data.
Archived data may not be used or furnished to third parties except as required for compliance with other legal obligations.
Information and communications service providers have an affirmative obligation to notify data subjects of the event of data destruction or archiving, specifying the items of data affected, no later than 30 days before the expiration of the data retention period.
Notice may be by email, facsimile, telephone, postal mail, or similar methods.
Implications of KCC Enforcement Action
Based on the KCC’s recent enforcement action, the following enforcement principles may be discerned:
One-Year Limit Applicable to All Data
According to Art. 2 of the Addendum to the Enforcement Decree, the one-year retention period limit shall also be applicable to data collected or received prior to the Aug. 18, 2015 effective date of the amended Enforcement Decree. This means that data controllers are probably unlawfully in possession of old data, unless they have already been purging their databases.
Strict View of One-Year Retention Limit
The KCC’s enforcement action indicates that the regulator strictly applies the one-year retention period on a calendar-year basis. Some of the sanctioned service providers were in the habit of regularly purging old data, but did so on a quarterly or monthly basis, meaning that in the course of their data-destruction or archiving practices, some of the data scheduled for destruction or archiving could have been over the one-year limit by a few days. KCC guidance indicates that the agency will allow a grace period of up to five (5) business days, allowing a purge cycle of a working week, but longer periods are considered not responsive enough to the one-year retention limit.
Strict View of Active Status
The recent sanctions also illustrate that the KCC takes a strict view of whether or not a data record is an active record. In the recent cases, some service providers attempted to defend their retention of data on the basis that web analytics showed a recipient had responded to an interstitial advertisement in a mass email communication using the data. The KCC rejected this defense and held that the data subject must be an active user of the service, with activity being evidenced by affirmative actions such as logging into a user account, engaging in telephonic consultation or email correspondence, or such other acts that would leave a record of activity.
Exceptions for Legal Obligations
Data controllers must also be conscious of the interaction of other legal obligations which mandate longer retention periods for certain data. The amended Enforcement Decree takes notice of such obligations and affirmatively authorizes longer retention of data where necessary for legal compliance.
For example, in cases where electronic financial transactions take place, such as where payments are made online, the Electronic Financial Transactions Act requires that records of electronic financial transactions with a value greater than W10,000 (about US$8.25) shall be preserved for five (5) years after the transaction date.
Similarly, the Act on Consumer Protection in Electronic Commerce Transactions (the “E-Commerce Consumer Protection Act”) requires that (a) consumer complaints and dispute resolution records, and (b) records of contracts, subscription cancellations, payments or delivery of goods or services shall be retained for periods of three (3) and five (5) years, respectively.
While the KCC’s initial enforcement action was aimed at bulk handlers of personal information, with millions of data records under management, it is likely that future enforcement actions may sweep up smaller businesses that handle customer data.
In particular, any business that engages in online transactions should commence a comprehensive review of its data-management practices and its data-destruction or archiving workflow to make sure that activity status is confirmed and action is taken on an aggressive timetable. Because data subjects may expressly agree to a longer retention period, policies and user agreements should be reviewed and amended to reflect the current enforcement risk.