South Korea has emerged as a technological powerhouse, boasting one of the most advanced digital infrastructures globally. It’s a nation known for its blazing-fast internet speeds, tech-savvy population, and thriving e-commerce ecosystem. In 2018, South Korea participated in the OECD Digital Government Index (DGI). The DGI evaluates and measures the maturity of e-government policies and their implementation as part of a coherent government-wide approach. This participation allowed the Korean government to review its progress in six dimensions: digital by design, government as a platform, data-driven public sector, open by default, user-centric, and proactive. South Korea has been able to draw insights and lessons from its partners and the OECD in the areas of digital identity, data-driven public sector and service design and delivery through the work of the E-Leaders thematic groups. This ranked the country first among 29 OECD countries in the 2019 OECD Digital Government Index. Korea performed better on all six dimensions.
As South Koreans embrace digital lifestyles, the volume of data generated is staggering. Every click, every purchase, and every interaction with online services leaves a trail of digital footprints. This surge in data creation has necessitated the development of robust data privacy regulations to safeguard the rights and freedoms of individuals.
While data privacy is a concern worldwide, the approach to addressing it varies from one country to another. Many nations have enacted comprehensive data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), which serve as global benchmarks for data privacy. South Korea, too, has established its legal framework to ensure the protection of personal information. South Korea’s data privacy regulations are aligned with international standards, particularly in addressing the processing of personal data and the rights of data subjects. These regulations are crucial not only for the protection of South Korean citizens but also for facilitating international data transfers and collaborations with countries that have similar data protection standards.
In the upcoming sections of this blog series, we will delve deeper into the specifics of data privacy in South Korea. We will explore the legal framework, key regulations such as the Personal Information Protection Act (PIPA), the roles of data protection authorities, recent data privacy incidents and breaches, and suggest best practices for businesses operating in South Korea or hoping to about privacy policy enforcement.
Data Privacy Laws and Regulations in South Korea
- The Legal Framework
Data privacy and protection laws of South Korea consist of a General Law and Specific Sector Laws.
General Law – The Personal Information Protection Act (PIPA) of South Korea established on August 30, 2011 serves as the primary legislation governing the collection, use, and handling of personal information. PIPA is the cornerstone of South Korea’s approach to data privacy and aligns with international standards to ensure robust protection for individuals’ data. The collection and use of personal information (PI) mainly governed by PIPA works together with its Enforcement Decree or prime implementing regulation (PIPA-ED). It is important to note that there have been several amendments over time to this law. The recent March 14, 2023 amendment introduced a data subjects’ right to data portability and the right to contest automated decision-making, unification of the Special Provisions for ICSPs (as defined in the special laws section below) and general provisions for data handlers, relaxation of certain consent requirements for the processing of personal data, diversified legal bases of transferring personal data overseas, the PIPC’s power to suspend overseas personal data transfers, and data handlers’ obligation to destroy pseudonymized data. It becomes imperative that companies closely monitor the amendments to both the PIPA and its Enforcement Decree to ensure compliance with any additional data protection requirements that they may be subject to.
Specific Sector Laws – In addition to PIPA, South Korea has established other regulations that complement its data privacy framework. These include:
- The Act on Promotion of IT Network Use and Information Protection (Network Act): This law addresses issues related to data breach notifications, requiring organizations to promptly notify both authorities and affected individuals in the event of a data breach.
- The Act on Credit Information Use and Protection (Credit Information Act): This law focuses on credit information, ensuring that the handling of such sensitive data is subject to stringent regulations.
- Personal Information Protection Commission
The Personal Information Protection Commission (PIPC) is the central authority responsible for overseeing and enforcing data privacy regulations in South Korea. PIPC plays a vital role in monitoring compliance, investigating violations, and providing guidance to organizations on data protection best practices. For all PIPC guidelines, see here. Non-compliance with PIPA can result in fines, business suspensions, and even criminal penalties in severe cases. For businesses operating in South Korea, compliance with PIPA is not optional; it’s a legal obligation. Companies must invest in data protection measures, including staff training, data security technologies, and compliance checks. Failure to do so not only exposes businesses to financial penalties but also reputational damage.
- Personal Information (PI) Acquisition/Consent Principle
According to Article 15(2) of PIPA and Article 22(1) of IC Network Act, Data handler must notify the following before obtaining the consent:
- purposes of collection/use of personal information
- items of personal information to be collected
- duration of retention/use of personal information
And is required to:
- not use the personal information for any other purpose (Article 18 of PIPA, Article 24 of IC Network Act)
- publicly disclose its privacy policy (Article 30 of PIPA, Article 27-2 of IC Network Act) and notify the data subject of the specific usage of personal information at least once a year (Article 30-2 of IC Network Act)
- process personal information in such a manner as to minimize the possible infringement upon the privacy of the data subjects (Article 3(6) of PIPA)
When disclosing PI to third parties, Data handler must notify the following before obtaining the consent:
- the recipient of the PI
- the purpose for which the recipient will use the PI
- particulars of the PI to be provided
- period of retention and use by the recipient
- the data subjects’ right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal
- Data Privacy Breach Sanctions and Enforcement in South Korea
Collecting PI without consent attract a variety of sanction, including imprisonment with labour, fines, and administrative fines.
- Obtaining PI without the data subject’s consent (or another legal basis) or collecting the PI of a child under the age of 14 without the legal representative’s consent, may be subject to an administrative fine KRW 50 million or more.
- The use and disclosing of PI to a third party without the data subjects consent attracts a fine of up to KRW 50 million.
- Obtaining consent to process PI by fraud or unjust means is subject to imprisonment with labour for up to 3 years or a fine of up to KRW 30 million.
- Failing to provide the data subject with prescribed information in as regards consent principle when collecting PI is subject to an administrative fine of up to KRW 30 million
- Notable Data Privacy Incidents in South Korea
South Korea consistently ensures the effective enforcement of notice and consent regulations, with the Korea Communications Commission (‘KCC’) responsible for upholding data privacy provisions outlined in the Network Act and, subsequent to the 2020 amendments to the PIPA, the PIPC. Numerous instances have occurred where the KCC imposed penalty surcharges as a consequence of breaches of consent requirements.
In 2019, the KCC levied a penalty surcharge against an Information and Communications Service Providers (ICSP) for gathering or utilizing personal information without proper consent. The official rationale behind this ruling was that the ICSP had failed to secure separate consent after duly informing individuals of the legally mandated information, including the specific personal data to be collected or used and the reasons for such collection or usage.
Prior to the 2020 amendments to the PIPA coming into effect, on July 15, 2020, the KCC issued a corrective directive and imposed a penalty surcharge of KRW 180 million upon an international media platform operator. This action was taken in response to the operator’s unauthorized collection of personal information belonging to minors under the age of 14, conducted without the consent of their legal guardians.
Furthermore, on April 28, 2021, the PIPC enacted penalties and levied a fine against a chatbot developer for breaching the provisions of PIPA. These violations encompassed the developer’s failure to adequately inform users of its other services, specifically the utilization of their messages for training a popular AI chatbot via machine learning. Additionally, the developer did not obtain explicit consent from users for this purpose. It is worth highlighting that the PIPC determined that merely incorporating a clause into the terms required for user application login did not meet the criteria for establishing “explicit consent” as mandated by PIPA.
On July 12, 2023, the Personal Information Protection Commission (PIPC) announced its decision, in which it imposed an administrative fine of KRW 27 million (approx. $20,480) and a penalty of KRW 6.8 billion (approx. $5,192,120) on LG U+ Co., Ltd., for violations of the Personal Information Protection Act (PIPA), following a data breach.
These aforementioned instances are significant because they demonstrate a shift from past practices, where South Korean privacy regulators are now more proactive in applying sanctions with stringent actions to non-Korean entities subject to the pertinent data protection laws in South Korea.
South Korea’s approaches to data privacy issues and the swift sanctions imposed on violators tells of the nation’s commitment to preserving the rights of her citizens. The nation’s proactive stance on data privacy serves as an example for the world. Amendments to data privacy laws are both necessary and inevitable as the digital space keeps evolving. It is no doubt that a good way for businesses to start is to identify tools that design privacy in from the beginning – and that’s where Epistimis Modeling Tool comes handy. Epistimis Modeling Tool (EMT) is a solution for businesses seeking to enhance their data privacy practice as well as staying complaint. EMT is an innovative tool that is proven to help businesses adapt and thrive in this data-driven era. Just to mention a few function, Epistimis Modeling Tool:
- does not require coding skills nor knowledge
- designs privacy in from the beginning of the business design
- covers all business models irrespective of jurisdiction
- and provides you with on-the go update of rule amendments.