The New Guideline on Protection of Biometric Information
The Personal Information Protection Commission (the “PIPC”) announced on September 8, 2021 the “Biometric Information Protection Guideline” (the “Guideline”) for the protection and safe use of biometric information such as fingerprints, facial images, palm veins or iris. The Guideline is an amendment of the existing “Bio-information Protection Guideline” to provide for the basic principle of protecting biometric information and specific actions for the protection of biometric information at each processing phase.
Key provisions of the newly announced guideline are as follows:
1. The term “bio information” is changed to “biometric information” to clarify its meaning, and the scope of the information to be encrypted by provided by prescribing the information that is subject to the encryption under the personal information related notices (“Standard of Actions to Secure Safety of Personal Information” and “Standard of Technical and Administrative Protection Measures of Personal Information”) as “biometric identifiers” that are processed by certain technical means for the purpose of authenticating and identifying an individual. (Amendment of the notice relating to changes of the term became effective on September 13, 2021.) * Biometric information is defined as information about an individual's physical, physiological, and behavioral characteristics that are to be processed through certain technical means for the purpose of authenticating and identifying a specific individual or identifying characteristics (e.g., age, gender or emotion) of an individual and includes the concept of biometric identifiers under the Guideline. Besides the biometric identifiers, “general biometric information” to be processed to identify characteristics (age, sex, emotion, etc.) of an individual is not required to be encrypted for storage or to keep an original copy separately if stored, but protective measures equivalent to those for biometric identifiers are recommended.
2. The Guideline newly introduced a total of 15 protective measures required during 5 phases of processing biometric identifiers: * 1. Planning/Designing Phase (to prepare alternatives to a situation where a user does not want to provide or is not able to provide biometric identifiers, etc.) → 2. Collection Phase (to protect transmission section of biometric identifiers, etc.) → 3. Use/Provision Phase (to use within the scope of purpose to which consent is given and to provide means to control biometric identifiers, etc.) → 4. Storage/Destruction Phase (to immediately destroy biometric identifiers if they are no longer necessary, etc.) → 5. Everyday Inspection (subject to management and supervision of personal information controller, etc.)
3. The scope of which is subject to the application of the Guideline is expanded from information and communications service providers to personal information controllers. It is clarified that consent is required for collection and use of characteristic information identifying biometrics that is prescribed as sensitive information under the Enforcement Decree of the Personal Information Protection Act amended as of August 5, 2020. * For example, in order to use a photograph of a face, which was collected for registration with the existing HR management system, in a newly introduced face recognition system, it is required to obtain consent for collection and use of biometric identifiers in advance because the use of the photograph in a face recognition system would constitute a purpose outside of the scope of the existing purpose of collection.
4. The Guideline is provided to manufacturers in planning, design and development of products or services for personal information controllers and is informed to users who use the biometric identifiers of issues to be confirmed prior to the service use or any other precautions in using such services. Self-checklist that summarizes the contents of the Guideline is attached as an appendix for personal information controllers, manufacturers and users.
5. The Guideline was prepared to reflect specific examples of the use of biometric information in practice.
Standards of Non-imposition of Penalty Surcharge for Minor Violations
The PIPC disclosed on the same date (September 8, 2021) the standards of administrative sanctions on minor violations of the personal information protection laws committed by personal information controllers, replacing imposition of penalty surcharge with a corrective order and determining the standards of imposition of administrative fine. Below is the standards of minor violations on which penalty surcharge may not be imposed:
[Standards of Non-imposition of Penalty Surcharge on Minor Violations]
In any of the following cases, the PIPC may render a corrective order in lieu of imposition of penalty surcharge after considering the particulars and quantity of personal information:
① When final amount of penalty surcharged imposed does not exceed KRW 3 million and when the effectiveness of imposition of penalty surcharge is not great; ② When violation is made due to minor mistakes or system error, resulting in no damage or minor damage; ③ When the quantity of leaked personal information is less than 100 cases, resulting in no damage or minor damage; or ④ In consideration of the degree of leakage of personal information, whether benefit was earned directly from violations, efforts to protect personal information (e.g., personal information protection certification and self-regulating activity), voluntary correction of violations and compensation for damages of data subjects, etc. * Personal information controllers charged for the same violations after the controller was imposed of a corrective order in lieu of penalty surcharge for reasons from the above ①-④ reasons are not subject to the above non-imposition of penalty surcharge again.
On the same date, the PIPC applied the Guideline for the first time to six entities for personal information leakage with minor violations and rendered imposition of administrative fine, corrective order and public announcement, etc. in lieu of penalty surcharge.
Further, the Director-General for Investigation and Coordination of the PIPC declared a plan to amend the PIPA in a direction to convert criminal punishment to monetary sanctions and not to impose penalty surcharge on minor violations resulting in minor damages even if the criteria of imposing penalty surcharge on the basis of gross revenue is maintained.