South Korea: Amendments to PIPA and PIPA Enforcement Decree enter into force
The amendments to the Personal Information Protection Act 2011 (PIPA) and the amended PIPA Enforcement Decree entered into force on September 15, 2023.
The amendments to the PIPA and the PIPA Enforcement Decree cover various issues including data portability, data transfers, children's personal data, and data breach notification.
Overseas data transfers
The amendments to PIPA have expanded the legal basis for transfers where the data subject's consent was not collected in certain circumstances. These include transfers to countries approved by the Personal Information Protection Commission (PIPC) to satisfy PIPA levels of data protection or transfers allowed under relevant laws or treaties/conventions to which South Korea is a party.
Notably, the amended PIPA Enforcement Decree diversifies the requirements for the overseas transfer of personal information and establishes that the PIPC has the power to order the suspension of overseas transfers in certain situations.
Data subject rights
The amendments to PIPA grant data subjects the right to request transmission of their personal information to themselves or another data controller, subject to the following parameters:
- the personal information must have been processed based on the consent of the data subject;
- the personal information must have been processed to perform a contract executed with the data subject; and
- the requested data controller must satisfy certain relevant standards for facility/equipment.
Additionally, the amendments to PIPA entitle data subjects to the following rights in relation to automated decision-making:
- the right to request an explanation from the data controller in cases where they have been subjected to automated decision-making; and
- the right to refuse automated decision-making when the automated decision-making is likely to affect their rights and obligations.
Unification of online and offline systems
Under the amended PIPA Enforcement Decree the notification obligations relating to the collection of data from a third party and data usage details are unified under a new technology-neutral system, removing any distinction between online and offline processing of personal data.
Further, the amendments to PIPA remove the distinction between ordinary data controllers and data controllers that are information communication service providers.
Administrative and criminal penalties
The amendments to PIPA alter some of the penalty provisions and administrative penalties as follows:
- the maximum administrative is set at 3% of total sales (except the sales that are irrelevant to the violation). However, if the data controller refuses to submit the sales data with no reasonable explanation or provides fictitious sales data, the administrative fine can be increased to 3% of the total sales;
- offline and online businesses are subject to the same fines for the same violations. The distinction between data controllers and data controllers that are information communication service providers is no longer relevant; and
- certain criminal penalties that were contained in the previous PIPA prior to the amendment have been removed. These include:
- leakage of personal information due to data controllers' failure to implement mandatory security measures;
- an information communication service provider's collection and use of personal information without consent; and
- a failure to destroy personal information.
The amended PIPA Enforcement Decree requires that when a personal information controller becomes aware of a personal information leakage, they must notify the affected individual within 72 hours.
The amended PIPA Enforcement Decree also obligates a personal information controller to specify a method for confirming whether the legal representative of a child under the age of 14 has consented to the processing of the child's personal information on their behalf.
Safeguards required by public institutions handling large data sets
The amended PIPA strengthens the safety measures that have to be implemented by operators of major public systems that deal with large amounts of personal data of Korean citizens. Such measures include the analysis and inspection of access records, the designation of a manager responsible for each system, and the notification of incidents of unauthorized access to personal data using a public system, among others.
The Personal Information Protection Commission (PIPC) will oversee the enforcement and application of the PIPA and the PIPA Enforcement Decree.
The PIPC is currently working on a revised Enforcement Decree to further implement some of the provisions of the amended PIPA Enforcement Decree that will take effect at later stages, including those on 'MyData,' (i.e. the right to data portability). Such amendments to the PIPA Enforcement Decree will be announced for public comment gradually, starting from October 2023.
OneTrust DataGuidance has released a number of resources to assist with your PIPA compliance:
- South Korea- Data Protection Overview Guidance Note;
- South Korea - Data Breach Guidance Note; and
- South Korea: Amendments to PIPA - Key takeaways.
For further information and resources on South Korea, see our South Korea homepage.