South Korea has enacted stricter penalties for violations of data protection or privacy requirements by telecommunications and online service providers, including potentially steep damages in the wake of a data breach. The amendment (the “Amendment”) to South Korea’s Act on the Promotion of IT Network Use and Information Protection (“Network Act”) became law on March 22, 2016 and will become effective on September 23, 2016. The Network Act regulates and protects the personal information of individuals (“Information Subjects”) that are collected, used and disclosed by telecommunications and online service providers (“Service Providers.”) Overall, the Amendment provides heavier penalties for violating privacy provisions in the Network Act. The increased penalties and stricter privacy standards are consistent with recent amendments in other Korean privacy laws, such as the Personal Information Protection Act and the Utilization and Protection of Credit Information Act.
Some of the key changes in the Amendment are summarized below.
- Punitive Damages Provision. Service Providers may be liable for fines amounting to three times actual damages where a Plaintiff/Information Subject can demonstrate that personal information was breached as the result of intentional or gross negligence by the Service Provider (Article 32, Clauses 2 and 3).
- Forfeiture of Profits. Any profits that a Service Provider gains through privacy-related violations of the Network Act are subject to confiscation and forfeiture (Article 75, Clause 2).
- 3% Fine of Related Revenue. Service Providers that transfer personal information outside of Korea for access, management and storage abroad (“Overseas Transfer”) must obtain prior consent from the Information Subject. If a Service Provider fails to obtain prior consent, it may be subject to fines of up to three percent of the revenue related to the Overseas Transfer (Article 32, Section 2).
- Accountability of Senior Officers. For violations of the Network Act by Service Providers, the Korean Communications Commission may also recommend disciplinary action against the chief executive officer or other senior officers of the Service Provider (Article 69, Section 2).
The Amendments represent another step by the Korean government to toughen Korea’s privacy-related laws and regulations, which are already viewed by many to be extremely robust. The Amendment, along with other recent updates to Korean privacy laws, will likely lead to increased data breach litigation and further notable enforcement actions by Korean authorities. Service Providers operating in Korea should consider the increased risks and potential liabilities for data protection violations under the Network Act and consider strengthening compliance programs ahead of the September effective date.