1 September 2016
The Korean Communications Commission (‘KCC’) announced, on 11 August 2016, that it brought an enforcement action against 11 smartphone app providers for violations of the Act on Promotion of Information and Communications Network Utilisation and Data Protection, etc. 2005 (‘the Network Act’). In particular, the KCC issued fines in relation to data security, retention and sharing.
Kyoung Yeon Kim and Yun Yong, Partner and Foreign Attorney at Yulchon LLC respectively, told DataGuidance, “The KCC position in this case was very strict. It would be proper to say that this enforcement action is a part of a regular check-up by the KCC to alert the industry to follow the rules on personal data protection.”
The KCC issued administrative fines ranging between KRW 10 (approximately €7,991) to 15 million (approximately €11,894) for either absence or insufficient encryption measures during the transmission of data to and from the applications, which violated Article 28 of the Network Act.
In addition, the KCC imposed administrative fines ranging between KRW 5 (approximately €3,995) to 10 million (approximately €7,991) for violations of Article 29 of the Network Act, namely for failing to destroy or separately store users’ personal data, who were not using the service for more than one year.
Such enforcement is not done by surprise but rather with advance notice. However, not only application providers but also other companies under the Network Act could be investigated at any time. As a result, the law should be cautiously abided by.
Kim and Yong noted, “Regarding Article 29 of the Network Act, the KCC adopted an ‘expiration date for personal data’ system which mandates service providers to destroy or separately store the data of users who did not use the service for at least three years. The purpose of this system is to prevent unexpected accident or leakage of certain personal data like those of a dormant account which have been stored for a unnecessarily long period of time. In 2015, the KCC imposed more stringent requirements by decreasing the retention period from three years to one year. However, it has been suspected that many companies still don’t abide by the rules so the KCC will keep up its monitoring and investigation on this issue.”
The KCC also issued a KRW 180 million (approximately €143,851) to an operator who shared users’ personal data with a third party without their prior consent.
Hyun-Jeong Kang, Partner at Shin & Kim, concluded, “This enforcement action follows the investigations carried out between 29 February and 19 April 2016 and is part of the KCC’s investigation plan. Such enforcement is not done by surprise but rather with advance notice. However, not only app providers but also other companies under the Network Act could be investigated at any time. As a result, the law should be cautiously abided by.”
Alice Marini | Privacy Analyst