Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The legislative framework for the protection of PII in Korea consists of the Personal Information Protection Act (the PIPA) and various sector-specific laws. The PIPA is the overarching statute regarding the protection of PII and was enacted with reference to the Organisation for Economic Co-operation and Development guidelines and similar foreign precedents. Prior to the amendments that became effective as of 5 August 2020, the Act on Promotion of Information and Communications Network Utilisation and Information Protection (the Network Act) applied to information and communications technology (ICT) and online privacy. However, the amendments, effective as of 5 August 2020, amended the Network Act and the PIPA so that the privacy-related provisions in the Network Act are incorporated into the PIPA. Additionally, Korea has the following sector-specific laws that regulate the protection of PII:

  • the Credit Information Use and Protection Act (the Credit Information Act) governs the protection of credit information in the finance sector;
  • the Framework Act on Consumers applies to consumer data;
  • the Act on the Consumer Protection in Electronic Commerce governs privacy in the context of electronic commerce;
  • the Act on the Protection, Use, Etc, of Location Information (the Location Information Act) governs location information;
  • the Medical Service Act applies to data related to healthcare;
  • the Act on the Promotion of Workers’ Participation and Cooperation applies to data in the context of labour and employment; and
  • the Framework Act on Education applies to data in the context of education.

 

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

In Korea, multiple governmental authorities deal with data protection. The Personal Information Protection Commission, which is under the direct supervision of the president, is a governmental commission established pursuant to the PIPA with the authority to review and determine PII protection policy-related matters. The Ministry of the Interior and Safety has the authority to oversee compliance with the PIPA and enforce it. The Korea Communications Commission (KCC) and the Financial Services Commission have authority pursuant to the Network Act and the Credit Information Act, respectively, to perform PII protection-related work.

Under the amendment to the PIPA, effective as of 5 August 2020, the Personal Information Protection Commission has broader authority and is expected to become the control tower for PII protection. In addition to having the authority to review and determine PII protection-related matters, the Personal Information Protection Commission has the authority to enforce and oversee compliance with the PIPA. The power of the Personal Information Protection Commission has also been expanded to include the discretion to investigate and impose sanctions and fines. Further, the joint responsibilities of the Ministry of the Interior and Safety, the KCC and the Financial Services Commission to oversee PII protection have been consolidated and transferred to the Personal Information Protection Commission (such as the power to demand information, investigate, impose monetary fines, issue corrective orders, charge and recommend sanctions).

Regardless of the amended PIPA coming into effect, as the controlling authority for the Credit Information Act in relation to financial institutions and credit information companies, the Financial Services Commission has the power to investigate any violation of the Credit Information Act and impose monetary or administrative fines. As the controlling authority for the Location Information Act, the KCC has the power to demand information, investigate and impose monetary or administrative fines in relation to the protection of location information. The Fair Trade Commission has the power to order corrective measures regarding unfair terms and conditions relating to PII.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There has been an increasing need to establish a body to enable the consistent making of PII protection policies and discussions regarding PII protection among central administrative agencies. As such, the Enforcement Decree of the PIPA (the Enforcement Decree), which has also been amended with effect on 5 August 2020, stipulates that each special metropolitan city, metropolitan city, special self-governing city, province and special self-governing province must establish a council of institutions related to PII protection (a city or province council), the composition of the city or province council, and matters subject to discussion by the city or province council.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The PIPA, the Credit Information Act and other sector-specific laws provide for administrative sanctions or criminal penalties that apply upon breaches occurring.

A company that violates the PIPA can be subject to administrative sanctions and criminal penalties. The Personal Information Protection Commission can issue corrective orders, such as the termination of any activities that infringe on PII, the temporary suspension of PII processing, and the implementation of necessary measures to protect and prevent any infringement of PII. Additionally, if the company is determined to have violated any laws related to PII protection, a recommendation for disciplinary measures against the responsible individual (including the representative director and the officer in charge) may be issued. Further, a monetary fine of up to 500 million won can be imposed for the loss, theft, leakage, alteration and impairment of a resident registration number and under certain other circumstances. A monetary fine of up to 3 per cent of total revenue can be imposed for processing pseudonymised information for the purpose of identifying a particular individual. For violations of certain provisions of the PIPA, such as providing PII to a third party without the data subject’s consent, criminal penalties may be imposed, such as imprisonment for up to five years or a monetary penalty of up to 50 million won.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Personal Information Protection Act (the PIPA) is the overarching law and applies to all private sectors and government sectors, individuals and companies. There is no organisation that is exempt from the PIPA. However, the PIPA provides that when a governmental agency requires personally identifiable information (PII) to conduct its duties prescribed by law for the purpose of public interest, PII may be collected, used and provided without consent.

The sector-specific laws such as the Credit Information Use and Protection Act (the Credit Information Act), the Act on the Protection, Use, Etc, of Location Information (the Location Information Act), the Medical Service Act, and the Framework Act on Education only apply to the relevant sectors.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The PIPA and the Act on Promotion of Information and Communications Network Utilisation and Information Protection (the Network Act) both restrict the unauthorised interception of communications or electronic commerce. The PIPA focuses on implementing measures that would prevent unauthorised interception while the Network Act provides for protection of PII processed by information and communications technology (ICT) networks and penalises interception by unauthorised persons.

Such activities could also be subject to the Protection of Communications Secrets Act or the Criminal Act. Under the Protection of Communications Secrets Act, mail censorship, interception of ICT communications, providing communication records, or the recording of or listening to confidential conversations of third parties are prohibited unless they fall under statutory exceptions.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

In addition to the PIPA, there are several laws that provide for specific data protection rules by sector. The ICT sector is subject to the Network Act, the Framework Act on Electronic Documents and Transactions, the Location Information Act, and the Protection of Communications Secrets Act. Employee monitoring is governed by the Act on the Promotion of Workers’ Participation and Cooperation. Information in the healthcare sector is subject to the Medical Service Act, the National Health Insurance Act, the Public Health and Medical Services Act and the Emergency Medical Service Act. Data protection in the finance sector is governed by the Credit Information Act, whereas the education sector is governed by the Framework Act on Education.

PII formats

What forms of PII are covered by the law?

Under the PIPA, PII means the following:

  • information that can identify a living person, such as their name, resident registration number or image;
  • a certain piece of information that, even if it cannot identify a person by itself, can be easily combined with other information to identify a person, reasonably considering the accessibility of the other information and the time, cost and technology required for identifying a person; and
  • pseudonymised information that cannot be used to re-identify a person without the assistance of additional information.

 

There is no limit as to the format or formality of PII.

Under the sector-specific laws, the scope of PII that is covered differs. For example, under the Credit Information Act, personal credit information means data that is necessary to determine the creditworthiness and credit transaction capacity of an individual. Under the Location Information Act, ‘personal location information’ means the location of a certain individual (including information, when combined with other information, that can identify the location of an individual).

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The existing obligations of foreign ICT service providers to appoint a representative in Korea under the Network Act that have been moved to the PIPA pursuant to the amendments effective as of 5 August 2020 are as follows:

First, an ICT service provider that does not have a domicile or place of business in Korea with total revenue for the preceding year of no less than 1 trillion won; or revenue relating to ICT services for the preceding year of no less than 10 billion won, or average daily users (whose PII is being stored and managed) of no less than 1 million for the last three months of the preceding year must designate a representative in Korea to act as its chief information protection officer (CIPO) under the PIPA. This representative must perform the duties of the CIPO under the PIPA and in the event of any data leakage, file reports to the regulatory authorities, notify the data subjects and submit material for investigation.

Second, the rules that previously applied to overseas transfer of PII also apply to the onward transfer of PII (ie, the transferring of PII that has already been transferred overseas) to a third country. Accordingly, in cases of onward transfer, the data subject’s consent is required.

Third, by adopting the principle of reciprocity, any foreign ICT service provider that is domiciled in a country that restricts overseas transfer of PII can be subject to the same level of restriction on the overseas transfer of PII from Korea.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Under the PIPA, ‘processing’ means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, retrieval, output, correction, recovery, use, provision, disclosure and destruction of PII, and other similar activities. The PIPA does not particularly distinguish between those that control or own PII and those that provide PII processing services to owners. Under the PIPA, the term ‘PII processor’ is defined broadly to include any party (such as a public institution, legal person, organisation or individual) that processes personal information directly or indirectly to operate personal information files for official or business purposes.

Rather, a similar distinction under the PIPA to that between data controller and data processor would be the concepts of ‘delegator’ and ‘delegatee’ of processing. When a PII processor delegates PII processing to a third party (ie, delegatee), the delegator needs to conduct training of the delegatee to prevent loss, theft, leakage, falsification, alteration or destruction of PII and supervise the delegatee’s processing activities to ensure secure processing of PII in accordance with the Enforcement Decree of the PIPA. In the event any liability arises in the context of PII processing by the delegatee due to a violation of the PIPA, the delegatee would be treated as an employee of the delegator vis-à-vis the data subject. The delegatee is prohibited from using PII beyond the scope of the delegation and from providing the PII to third parties. Since the delegatee falls under the scope of PII processor, the delegatee is subject to the obligations of a PII processor, such as the obligation to procure PII security measures.

The PIPA also imposes a higher level of PII protection to certain types of PII processors. Governmental agencies have heightened obligations for PII protection compared to the private sector. Such obligations include the duties to:

  • disclose the registration of PII files;
  • conduct privacy impact assessments;
  • establish and disclose privacy policies that include policies regarding PII files that are subject to registration;
  • grant the data subject the right to access PII; and
  • participate in dispute resolution procedures.

 

Law stated date

Correct on

Give the date on which the information above is accurate.

May 2020.