The Personal Information Protection Act (“PIPA”) was enacted as a general law of personal information in March 2011 to fulfill the need for presiding rules to govern personal information protection. In fact, there have already been a number of special laws governing personal information protection in various special areas and cases, such as The Act on Promotion of Information and Communications Network Utilization Information Protection (“Network Act”) governing information and communications services, and the Use and Protection of Credit Information Act (“Credit Information Act”) governing personal credit information. Special laws prevail over the general law, when in conflict with individual articles of the general law.
Despite the overhaul of the legal system, large-scale personal data leakage cases involving large corporations and commercial banks have been reported in increasing numbers. Some cases are the result of external attacks, but many of the data leakages were due to the misconduct or negligence of the employees of the companies in question, or mishandling of information by the trustees who were entrusted with business affairs related to personal information. Of particular note, the trustees of personal information have been the most common source of leaks.
- An oil refiner in Korea entrusted the operation of its customer service centers to its subsidiary. Some employees of the subsidiary misappropriated and attempted a sale of massive amounts of the personal data belonging to its Bonus Card members.
- In a report regarding a leak of customer information from a Korean branch of a foreign bank, an employee of a contractor hired to develop data processing systems allegedly sold approximately 103,000 pieces of customer information to marketing companies. It was reported that the employee had been facing personal financial problems.
- About 100 million credit card holders’ personal data from three credit card companies in Korea was leaked through an employee of a third party vendor. The Financial Supervisory Service verified 85 million cases of the total cases of leaked personal data reported in relation to this incident.
Duty to Take Safety Measures
Article 29 of PIPA states, “A personal data processor (“Processor”) shall establish an internal administration plan, keep access records, and take technical, administrative and physical measures necessary for securing safety, as prescribed by Presidential Decree, in order to prevent personal information from loss, theft, leakage, alteration or damage.” Article 73 of PIPA imposes criminal sanctions on corporations which do not fulfill those duties subscribed in Article 29, and thereby fail to prevent information leaks. After recent data leakage cases, large Korean companies are building internal compliance protocols such as control of employees’ carrying in or carrying out of portable IT devices, limiting access to certain areas, restricting personal email or internet usage at the office, regular and unannounced monitoring of safety measures.
Entrustment of Personal Data Processing
The Processor may provide a third party (“Recipient”) with personal data, or the Processor may entrust a third party with the processing of personal data. Even though personal information can be handed over to the third party for either purpose, the key factor that determines the application of the regulations is whether it was a provision of data for the benefit of the Recipient or entrustment of data processing for the benefit of the Processor.
Entrustment of Data
Article 26 of PIPA states that “(i) a Processor, as a truster, shall educate and supervise a trustee to prevent the personal data of a data subject from loss, theft, leakage, alteration or corruption due to the entrustment of affairs, (ii) when liability to pay compensation arises as a trustee violates this Act in the course of managing personal data in connection with the entrusted affairs, the trustee shall be deemed an employee of a truster.” In other words, a truster is vicariously liable for any breach committed by a trustee. However, there are two defenses available to the truster, (i) proof that the truster exercised due care in the appointment of a trustee and the supervision of the undertaking, or (ii) a showing that the damage would have resulted even if due care had been exercised.
Article 25 of the Network Act has a provision similar to Article 26 of PIPA, whereas relevant articles in Credit Information Act limit the qualification of trustees, and hold trusters jointly responsible for the conduct of their trustees.
Provision of Data
In the case of provision of personal data, under Article 17 of PIPA, the provider must obtain the consent of data subjects—unlike other business entrustments, which requires only publicity or notification of the outsourcing contract. The related laws, however, do not require a provider to exercise any supervision over, or provide education to, a recipient. In addition, except under special circumstances, providers are only held accountable for their own conduct and are not responsible for their recipient’s unlawful behavior.
Transfer of Personal Data Out of the Jurisdiction
With the advancement of technology and globalized business, many activities involving personal or sensitive data are transferred across multiple jurisdictions. Restrictions against the transfer of personal data out of the jurisdiction are commonly found in many data protection laws.
According to PIPA, additional consent of the data subject must be obtained when there is a provision of data out of Korea. Meanwhile, the Network Act requires the consent of the data subject for any transfer of personal data out of Korea, including entrustment of data processing and data aggregation following a business transfer.
Although Korean Financial Supervisory Commission introduced regulation on financial institutions’ transfer of personal data out of Korea, there have not been any noteworthy court decisions regarding the issues of transfer of data out of Korea. Yet, with discussions on data localization gaining a driving force, particular attention and continued monitoring of the development of the issues is warranted.
Damages and Punishment
Data leaks due to any violation of related laws can lead to a claim for damages by a data subject, as well as criminal punishment if it constitutes a criminal activity. In most cases, however, the damages have been limited to small amounts of compensation for the emotional distress suffered by victims of the data leaks. Furthermore, a data subject is required to prove his or her emotional distress and suffering caused by the leak of personal data to qualify for compensable damages.
Recently, statutory damages have been introduced in the amended Network Act. An affected data subject may claim reasonable damages of up to KRW 3 million for each case instead of proving actual
damages. The court may acknowledge a reasonable amount of damages within the statutory limits in consideration of the defense(s) claimed by the defendant company and the results of the investigation. Several proposed amendments of PIPA and Credit Information Act calling for introduction of similar provisions is under consideration.
Complying with the laws and regulations governing the protection of personal data of consumers is critical in conducting corporate business. Data leakage cases to date have shown that the culpable parties leaked personal data both negligently and intentionally. It is crucial to educate all those that are entrusted to handle personal data, both employees and third party trustees, about the importance of data protection and strict compliance with relevant laws and regulations, stressing the consequences of disregarding the laws.