• The Use and Protection of Credit Information Act (the “Credit Information Protection Act”) and its subordinate regulations, i.e., accompanying Enforcement Decree of the same act, have been partially amended and became effective as of September 12, 2015. The key provisions of the amendment are as follows:
  1. Enhancement of Protection of Personal Credit Information and Data Subject
    • [Improved Method of Consent] Specific methods (e.g. accredited certificate or OTP) are no longer required for providing consent and in verifying the identity of the user when personal credit information is used or provided. Instead, the amendment permits individual finance companies to autonomously screen and choose the safest methods among the available options.
    • [Mandatory and Optional Consent Matters Differentiated] The amendment proposes standards for finance companies to autonomously differentiate mandatory and optional consent matters by determining whether certain information should be deemed “mandatory” and whether certain consent should be “mandatorily” provided. Moreover, the amendment will provide distinct consent forms that consumers can easily understand.
    • [Credit Information Retention Management Enhanced] Optional credit information used in financial transactions which are already concluded are required to be deleted within three months, while mandatory information is permitted to be retained up to five years under separate storing and controlled access.
    • [Entrustment Procedure for Information Handling Enhanced] When an information handler entrusts the handling of credit information, it is obligated to establish protective measures such as encryption if unique identifying information is provided to the entrusted party.
    • [Credit Information Custodian and Administrator System Enhanced] Finance companies exceeding a certain size* are obligated to appoint a credit information custodian or administrator as a corporate officer.
    • [Record Retention Obligation Enhanced] When collecting, using, providing or discarding personal credit information, companies are obligated to conserve the related records for three years.
    • [Credit Information Inquiry System] A system in which the data subject can inquire into the use and provision history of his/her credit information for the past three years will be established (however, if the relevant credit information was used for internal business management, repeat outsourced work and other such internal corporate matters, such use/provision is excluded from inquiry).
    • [Right to Withdraw Consent for Providing Personal Credit Information Enhanced] The current provision that limits the term within which the data subject can exercise his or her right to withdraw consent (three months) has been abolished and the data subject’s discretion regarding his/her personal information has been enhanced.
    • [Credit Information Leakage Notification] If there is a leakage in credit information, the information handler is required to notify the data subject without delay. If there is a leakage of credit information of more than 10,000 individuals, the information handler is obligated to place a public notice for more than seven days.
  2. Remedies for and Sanctions against Information Leakage Enhanced
    • [Standard for Imposition of Administrative Fines] Specific procedure and standard for imposition of administrative surcharge have been established in accordance with the introduction of punitive and legal damages and punitive administrative surcharge regime against information leakage.
    • [Standards for Liability Insurance Subscription] To secure adequate remedies, the amendment provides new standards for liability insurance subscription*. If the information handler already subscribed to a liability insurance policy pursuant to the Electronic Financial Transactions Act, such information handler is deemed to be in compliance with the Credit Information Protection Act.
  3. Credit Information Collection Agency and Credit Inquiry Service Industry Reorganized
    • [Scope of Information Subject to Central Management by Credit Information Collection Agency] The amendment consolidates and codifies the scope of credit information subject to central management.
    • [Public Interest and Neutrality Improved] The amendment added public interest and neutrality as requirements for a license to engage in comprehensive collection agency business.
  • Due to the implementation of the amended Credit Information Protection Act and its subordinate regulations, the burden of information protection and the punishment for information leakage have become more rigorous for finance companies and other credit information handlers. Relevant companies should establish enhanced protective standard for each phase of collection, retention, provision and deletion of personal credit information and should further invest concentrated efforts in complying with the information protection regime, i.e., effectuating advance inspection of the operational status of internal control including a response system for credit information breach accidents.