On June 26, the Ministry of Interior publicly disclosed the names of 20 companies which have been sanctioned due to violation of the Personal Information Protection Act (the “PIPA”) of Korea.
Article 66 of the PIPA provides that the Minister of Interior may publicly announce the sanctions levied, after the resolution of the Personal Information Protection Commission.
In the disclosure made last week, 20 companies were selected based on the seriousness of the sanctions received (administrative fine of KRW 10 million or more) out of the 192 companies that were sanctioned during the period from August 2017 to March 2018. The list included various companies and institutions, including universities, coffee franchises, travel agencies, and retailers.
Key areas of violations included the following:
- Personal data collection:
According to Article 15(2) of the PIPA, any person processing personal information (“Data Processor”) should inform the data subjects the following information prior to collecting personal data: (a) purpose of data collection, (b) categories of data collected, (c) retention and use period, and (d) data subject’s right to refuse consent, and any consequences of not providing the personal data.
- Responding to data breach:
According to Article 34(1) of the PIPA, when the Data Processor discovers a data breach, it must ‘promptly’ inform the data subjects: (a) categories of personal data affected, (b) time and circumstances of the data breach, (c) measures that the data subjects may take to mitigate the damage, (d) contact information of the company for reporting any damages suffered by the data subjects, and (e) remedial actions taken and/or to be taken by the company and the process.
Unlike the EU’s General Data Protection Regulation (the “GDPR”), the PIPA requires any data breach to be ‘promptly’ notified to the data subjects, regardless of the level of risk. ‘Promptly’ is not defined in the PIPA, however, the standard guideline issued by the Ministry of Interior states that a breach should be notified within 5 days unless there are justifiable reasons. However, it is important to note that under the Act on the Promotion of Utilization of Information Communications Network and Information Protection (“Network Act”) of Korea, which governs the use of personal data by companies in the context of telecommunications services, requires a data breach to be notified to the data subjects within 24 hours.
- Data deletion:
According to Article 21(1) of the PIPA, when the retention period expires, or the purpose of the data collection is completed, or otherwise the data becomes not necessary, the Data Processor should immediately delete the data. However, if the Data Processor is required to retain the data in order to comply with any other laws, the company should continue to hold on to the data, but store the data separated from other personal data.
- Data security measures:
According to Article 29 of the PIPA, the Data Processor should take technical, organizational, physical measures to protect the personal data from loss, theft, exfiltration, damage or alteration.
Compared to the GDPR, the security measures required under the PIPA are much more specific and detailed, as they are elaborated through the presidential decree and the enforcement regulation of the Ministry of Interior.
Some of the security requirements that the companies were found to be lacking included the following:
- when accessing the system from outside the company through telecommunication network, safe access methods should be used (e.g. VPN);
- access should be restricted if password is wrongfully inserted for more than a certain number of times;
- when transmitting biometric data, password, or unique identification number through the telecommunication network or by external storage devices (e.g. USB, CD, DVD, portable hard drive), such information should be encrypted;
- when storing passwords, they should be protected by one-way encryption;
- data related to access authority (granting, changing, and withdrawal thereof) should be stored for at least 3 years;
- access logs should be stored for at least 6 months; and
- access logs should be monitored at least once every quarter, to protect the data against loss, theft, exfiltration, damage or alteration.
The Ministry of Interior stated that it intends to continue to rigorously enforce the PIPA, and actively announce the names of the violating companies. Therefore, it is important for companies to streamline its data protection compliance in preparation for any future audits by the Korea data protection authorities.