Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
South Korea: Amendments to PIPA - Key takeaways
On 27 February 2023, the South Korean National Assembly passed a proposal amending the Personal Information Protection Act 2011 ('PIPA'). These amendments are among some of the most extensive amendments to PIPA since its enactment.
In this Insight article, Timothy Dickens, Partner at DR & AJU LLC, provides insight into the amendments to PIPA and their impact on businesses.
Introduction
Generally, when we hear of amendments to bills and legislation, particularly when it comes to the sensitivity around data privacy and data protection, we instinctively wince wondering what the lawmakers have managed to concoct in terms of new compliance requirements that serve as the proverbial ball and chain. Thankfully, and much to our delight, the Yoon Administration has continued on its positive trend to make reasonable, practical, and thoughtful amendments to PIPA.
What areas of PIPA were amended?
The amendments to PIPA are quite broad and cover a range of issues from data portability, data transfers, penalty provisions, and the unification of rules for offline and online businesses. Please find a summary of some of the most important aspects below:
Overseas data transfers
With regards to overseas transfers, the amendments have expanded the legal basis for transfers where the data subject's consent was not collected for the following instances (Articles 28-8 to 28-11 of PIPA):
- The transfer is to a country approved by the Personal Information Protection Commission ('PIPC') to satisfy PIPA levels of data protection.
- There is a law or treaty/convention where South Korea is a party that allows the overseas transfer of personal information.
- The transfer is for entrustment purposes or data storage which is essential to perform a contract with the data subject while one of the following two is satisfied:
- items to be announced to the data subject when collecting consent are disclosed; or
- items to be announced to the data subject when collecting consent are notified to the data subject through email, etc.
- The transferee is certified by the PIPC with safety measures applied according to the PIPC's notice and the measures to perform the certification in the transferee country.
We see these amendments as practical and necessary. International clients are often advised on the rigorous consent issues when transferring personal information to their data centres/servers situated outside of Korea, often resulting in vast amounts of time and effort being incurred to ensure compliance. By the relaxation of the consent requirement in the above circumstances, we see this as a positive step in considering the consent issue from a holistic view.
The flip side, however, is that PIPA added a new clause for the overseas data transfer that empowers the PIPC to impose orders to cease cross-border transfers where they believe the transfers to be in violation of PIPA (Article 28-9 of PIPA).
In short, this is a slightly double-edged knife, but overall a welcome addition.
Data portability
The amendments grant data subjects the right to request transmission of their personal information to themselves or another data controller (Article 35-2 of PIPA). This will be subject to the following parameters:
- the personal information must have been processed based on the consent of the data subject;
- the personal information must have been processed to perform a contract executed with the data subject; and
- the requested data controller must satisfy certain relevant standards for facility/equipment.
The aim of this amendment is to effectively strengthen data subjects' control over their personal information, who has control of it and how it is utilised. With the ever present BigTech/'Big Brother' question looming on everyone's lips, this amendment seems a move in the right direction as to data subjects' control over who and how their data is managed and stored. After all, data is becoming the new 'currency' and control/access to data will be a powerful tool. The downside, however, is just how the transfer of data will take place. Most companies have very uniquely built internal systems and processes; to standardise these across sectors will be tricky. Likewise, data controllers having to satisfy certain relevant standards may in effect just mean that only a few large-sized companies would effectively qualify and be compliant under this requirement which would then take us back to square one. In short, however, more control to the individual is a welcome addition for data subjects.
Unification of data protection rules for offline and online businesses
The amendments remove the distinction of ordinary data controllers and data controllers that are information communication service providers. The amendments thus subject all data controllers to the same application of rules and requirements by deleting and combining the chapter and clauses in PIPA, such as those specifically applied to the information communication service provider. This amendment was to remove any confusion in regard to the enforcement of PIPA.
This amendment seems logical and provides consistency across the board for all businesses. It would, however, require offline businesses to be vigilant as they would have a slightly increased burden to ensure compliance with PIPA.
Rights to automated decision-making
This amendment entitles data subjects to the following rights in relation to automated decision-making:
- the right to request an explanation from the data controller in cases where they have been subjected to automated decision-making; and
- data subjects will also have the right to refuse automated decision-making when the automated decision-making is likely to affect their rights and obligations.
Much like the data portability aspect, the automated decision-making amendments also place the power back in the hands of the data subjects. This amendment is positive as it gives the data subject the right to prevent the infringement of its rights when, more now than ever, BigTech is at times making unilateral decisions regarding personal information through automated decision-making.
Administrative and criminal penalties
These amendments have been tweaked and some of the penalty provisions and administrative penalties are as follows:
- The maximum administrative fine sits at 3% of total sales (except the sales that are irrelevant to the violation); however, if the data controller refuses to submit the sales data with no reasonable explanation or provides fictitious sales data, the administrative fine can be increased to 3% of the total sales.
- Offline and online businesses will be subject to the same fines for the same violations. This ties in with the unification of data protection rules as mentioned above. The distinction between data controllers and data controllers that are information communication service providers will no longer be relevant.
- Certain criminal penalties that were contained in the previous PIPA prior to the amendment have been removed. This includes:
- leakage of personal information due to data controllers' failure to implement mandatory security measures;
- an information communication service providers collection and use of personal information without consent; and
- a failure to destroy personal information.
These amendments are a welcome introduction, particularly the removal of certain criminal penalties. The strict data protection requirements sometimes seem to overreach in terms of the possible penalties that could be applicable for breaches of PIPA. Particularly when it comes to data controllers who have thousands of data subjects, there is always the possibility of oversight, mistake, or human error and removing the severe criminal penalties is a positive addition to PIPA. In addition, the amendments also expand the requirements for submission to dispute resolution of issues arising under statutes which may be a positive force in resolving disputes without the need for burdensome sanctions and penalties.
Introduction of provisions for visual information processing devices
The amendments introduced new provisions in regards to visual information processing devices, including fixed visual information processing devices (e.g. CCTV for safety and traffic control) and mobile visual information processing devices (e.g. autonomous vehicles and drones). For fixed devices, they are allowed when none of the photo/film personal information is stored. With regards to mobile visual information processing devices, these devices are allowed to collect and process visual information in open spaces even when it is difficult to obtain consent from unspecified people if the information subject can clearly have knowledge of the fact of filming by notification through lights, sounds, information boards, etc.
Hopeful and watchful
As with many of the previous amendments, this takes away the inconvenience of having to obtain opt-in consent from people who are unspecified and which could include very large numbers of people. How these new standards and additional spaces will be implemented is another space to watch and we will keenly follow how the PIPC will interpret and implement these amendments to PIPA.
All in all, the amendments to PIPA are a welcome addition, particularly where we see cross-border transfers of personal information on the increase. Likewise, with customers and data subjects preferring to have more ownership over their personal information and how they use it, these amendments to PIPA go a long way in removing the total autocracy that BigTech has on personal data and the use thereof. In an ever-changing world, we can only hope that the policy makers continue on this positive trend in how they implement and promulgate laws for data protection that are practical, logical, and effective.
Timothy Dickens Partner
[email protected]
DR & AJU LLC, Seoul