Consolidated rules for online and offline businesses with tightened enforcement regulations

One of the major changes embodied in the Amended PIPA is the consolidation and updating of the existing bifurcated rules of the pre-amended PIPA applicable to ordinary data controllers such as offline businesses, and data controllers that are considered 'information communication service providers,' including online service providers (online businesses). As a result, offline businesses have now become subject to additional obligations that used to apply only to online businesses under the pre-amended PIPA. On the other hand, online businesses may benefit from some of the more relaxed standards that used to apply only to offline businesses under the pre-amended PIPA. Now that the Amended PIPA is made applicable to both online and offline businesses, the Amended Enforcement Decree contains new regulations that seem to have tightened up the existing data protection rules in several respects, including:

• notification and reporting of data breach: In place of the varying data breach notification and reporting obligations between online and offline businesses under the pre-amended PIPA, the Amended Enforcement Decree now requires all data controllers (i.e., both online and offline businesses) to notify affected data subjects, and report to the relevant authority, of any data breach within 72 hours of becoming aware of the breach;
• security measures: With respect to the Amended PIPA provision concerning data controllers' obligations to take various security measures, the Amended Enforcement Decree elaborates on details of such required security measures while removing the seemingly ambiguous terminology that could be interpreted as data controllers' obligation to adopt certain security-related technologies or equipment so that data controllers may freely choose wide-ranging new technologies, such as the latest security and authentication technologies.  More specific details are expected to be provided in the forthcoming amendments to the PIPC's Notification on Security Measures for Safeguarding Personal Information; and
• designation of domestic representative: In relation to the Amended PIPA provision requiring all data controllers (i.e., both online and offline) to designate a domestic representative, the Amended Enforcement Decree specifies that such obligation would be triggered based on a data controller's 'total sales revenue' (as opposed to the data controller's 'sales revenue related to the online business division' under the pre-amended Enforcement Decree) in excess of the applicable threshold amounts.

From an online business perspective, it is noteworthy that the Amended Enforcement Decree generally imposes slightly more rigorous obligations on data controllers than before. Also, the upcoming updated PIPC Notifications and Guidelines may provide for additional obligations of data controllers (e.g., an obligation to require online businesses to take certain additional compliance measures), which are not explicitly addressed in the Amended PIPA or the Amended Enforcement Decree. Thus, it would be advisable to stay updated on the PIPC's forthcoming Notifications and Guidelines.

Cross-border transfer of personal data

Given the increasing demand for cross-border transfer of personal data by global online service providers operating in Korea, the Amended PIPA has expanded the legal bases for such cross-border transfer of personal data. While the Amended Enforcement Decree provides for certain requirements and procedures for the two newly-added legal bases included in the Amended PIPA, detailed implementing rules are yet to be provided in the PIPC's forthcoming updated Notification on Management of Overseas Transfer of Personal Information. As of now, the updated Notification is expected to be finalized and published toward the end of the year.

In addition, the PIPC's authority to suspend a cross-border transfer under the Amended PIPA largely mirrors that of the EU's regulatory authorities under the GDPR. In this context, the Amended Enforcement Decree sets out specific factors to be considered by the PIPC when determining whether to issue a suspension order. Any objection to the PIPC's suspension order must be made within seven days from the date of receipt of the order, and the PIPC has 30 days to respond to the objection.

It should also be noted that, unlike the GDPR, the Amended PIPA does not specify standard contractual clauses or binding corporate rules as a legal basis for a cross-border transfer. Accordingly, online businesses intending to transfer personal data outside of Korea will need to be mindful of these new rules governing cross-border transfers to avoid the risk of a suspension order or other sanctions from the PIPC.

Administrative penalties

The Amended PIPA has modified the upper limit of the administrative penalty, shifting from 3% of a data controller's sales revenue related to the activity in violation of the PIPA to 3% of the data controller's total sales revenue. In addition, the Amended Enforcement Decree has introduced further updates, which include:

• providing the rates to calculate an administrative penalty in ranges, with base rates significantly lower than the previous fixed base rates;
• implementing substantial upward adjustments to the administrative penalty amounts applicable for cases where sales revenue data is unavailable; and
• breaking down the previous three grades of violation severity (used to determine the applicable base rate or the base penalty amount) into four grades.

One of the key implications of the changed base to calculate the upper limit of administrative penalties from 'sales revenue related to the activity in violation' to 'total sales revenue' under the Amended PIPA is that data controllers are now burdened with proving the existence of any sales revenue unrelated to the activity concerned, to be excluded when calculating the administrative penalty amount. Consequently, if a data controller refuses to submit sales data to the PIPC without a justifiable reason, the penalty amount will be calculated based on the data controller's total sales revenue, which encourages data controllers subject to PIPC investigations to promptly provide accurate sales revenue data.

Data subject's enhanced rights

The Amended PIPA contains new provisions that grant data subjects the right to data portability and the right to contest automated decision-making, as further discussed below.

• Right to data portability: Contrary to the GDPR, which has historically recognized the right to data portability as one of the data subject's fundamental rights, the right to data portability was recognized only with respect to certain types of data under Korea's Use and Protection of Credit Information Act 2009 until the Amended PIPA became effective. Under the Amended PIPA, data subjects are entitled to request data controllers to transmit their personal data to either the data subjects themselves or a third party. Upon request, data controllers must transmit relevant data in a format that can be processed by a data processing device, such as a computer, to the extent technically feasible and reasonable in terms of time and cost. In the context of the right to data portability, the Amended PIPA also embodies a new concept of 'special institution,' to be designated by the PIPC or another relevant central administrative agency for the management of personal data. This concept goes beyond the general data portability right recognized in the GDPR. By introducing this new 'special institution' concept, the Amended PIPA seeks to streamline and facilitate systematic data transmission and sharing, surpassing the original concept of the right to data portability. However, as it is one of the unique aspects of the Amended PIPA, which is not found in the GDPR or data protection rules of any other countries, it remains to be seen how the role of such a special institution will actually be defined and be put into practice.
• Right to contest automated decision-making: The Amended PIPA further enhances data subjects' rights by providing them with the right to refuse or contest decisions made solely by automated means with no human involvement, such as artificial intelligence (AI)-driven systems. Once data controllers receive a request from data subjects, they must take the necessary measures to comply with the request, such as excluding the data subjects from automated decisions, reprocessing their personal data by involving humans, or providing an explanation to them, unless there is a justifiable reason not to do so. Data controllers also have the obligation to disclose their standards and procedures for the operation of the relevant automated decision-making system in a manner easily comprehensible to data subjects. However, data controllers can reject such requests if:
  • the automated decision-making process has taken place with the data subject's consent;
  • there is a specific provision in the law that makes the automated decision-making process required; or
  • the automated decision-making process is required for the execution and performance of a contract with the data subject.

The primary objective of the Amended PIPA's adoption of the right to data portability is to further strengthen data subjects' control over their personal data, thereby curtailing major platform operators' control over the processing of customers' personal data, and laying the groundwork for small-sized entities, such as start-ups, to safely utilize personal data. However, as data standardization is essential to facilitating the transmission of personal data between companies and across industries, and judging from precedents in the financial sector where the right to data portability was first introduced in August 2020, this task is expected to pose considerable technical and economic challenges. In addition, since the right to data portability under the Amended PIPA is designed to not only enhance data subjects' rights but also facilitate the data economy, it may have different implications that are not expected from the GDPR's right to portability (as the GDPR primarily focuses on the protection of data subjects).

The right to contest automated decision-making under the Amended PIPA could also serve as a measure to prevent the infringement of data subjects' rights, particularly when data controllers are relying increasingly on automated decision-making by utilizing rapidly advancing AI technologies. While similar rights exist under the GDPR, the Amended PIPA has its unique provisions and details regarding the right to contest automated decision-making, which may require online businesses to take certain additional compliance measures.

Further, it should be noted that the Amended PIPA and the Amended Enforcement Decree provisions pertaining to the right to data portability and the right to contest automated decision-making did not come into effect on September 15, 2023, and instead, are scheduled to become effective sometime between one and two years from the promulgation date (i.e., between March 15, 2024, and March 15, 2025). Thus, online businesses should closely follow up and review the forthcoming provisions of the Amended Enforcement Decree, which are expected to contain specific criteria and procedures for data subjects' rights relating to data portability and automated decision-making.

Samuel (Soon-Yub) Kwon Senior Foreign Attorney, Partner
[email protected]
Jongsoo (Jay) YOON Partner
[email protected]
Jeannie (Yee Jean) Jeong Senior Foreign Attorney, Partner
[email protected]
Lee & Ko, South Korea