On March 6, 2024, the Personal Information Protection Commission (PIPC) announced amendments to the Enforcement Decree of the Personal Information Protection Act (PIPA Enforcement Act). The PIPC stated that the amendments will take effect and be enforced beginning on March 15, 2024.  

New rights for data subjects 

New rights for data subjects were included in the amendments as announced by the PIPC. Specifically, the PIPC stated that data subjects will have the right to request an explanation or review of 'fully automated decisions' made without human intervention and refuse such decisions if there is a significant impact on the rights or obligations of the data subject. The PIPC highlighted that the criteria and procedures must be transparently disclosed for processing with fully automated systems and, if requested, the data subject must be provided with an explanation of the criteria used in the process. In response to a request from a data subject, the PIPC stated that the amendments would require the data controller to explain the basis for the decision and the process by which the decision was made. 

In response to a data controller's explanation, the PIPC stated that a data subject may object to an automated decision if the decision has an impact on their rights or obligations including limitation or deprivation of the same. However, the PIPC highlighted that if the data subject has already been informed before the decision or there are clear provisions in the law, then an objection to automated processing is not recognized and only a request for explanation and review from the data controller must be honored. 

Additionally, the PIPC mentioned that a personal information processor may refuse a request to object to the processing or request for an explanation if there is a legitimate reason including the possibility of infringing on the life, body, property, or other interests of another person. The data subject must be notified of the reason without delay. 

Stronger CPOs requirements 

The PIPC also stated that companies and public institutions that process large amounts of personal information or sensitive personal information will have stronger qualification requirements for Chief Privacy Officers (CPOs). The announcement highlights that the increased measures are to ensure that CPOs can perform their duties based on expertise and independence. Specifically, the amendments will require personal information processors that meet revenue and information retention requirements to designate a person with at least four years of experience in personal information protection as a CPO. A transitional provision is established which states that CPOs at the time of implementation must meet the four-year requirement by March 14, 2026. 

Additional amendments 

The PIPC also has mentioned that the legal basis for overseas transfers must be disclosed in the privacy policy in addition to the name of the country where the personal information of South Korean data subjects is directly collected and processed if done in a foreign country. Lastly, online businesses with annual sales of more than KRW 50 million (approx. $37,464) and more than 1,000 users were required to obtain insurance and accumulate reserves to fulfill liability for damages to data subjects. The amendments update this to now include information processors with annual sales of more than KRW 1 billion (approx. $749,245) and more than 10,000 data subjects. 

The PIPC stated it will release a draft guide containing detailed standards and examples in March 2024. 

You can read the press release, only available in Korean, here. 

UPDATE March 13, 2024

PIPC publishes PIPA amendment guidelines

On March 12, 2024, the PIPC published guidelines for the PIPA Enforcement Decree amendments. The PIPC stated that the amendments are expected to go into effect on March 15, 2024. 

You can download the guidelines and read the press release here, both only available in Korean.