Amendments to three data privacy laws in Korea and the implications

Posted on November 19, 2020
South Korea

Published in Asian-mena Counsel: Data + Cyber Security Special Report 2020

 

Screenshot 2020-11-19 at 3.05.03 PM

Screenshot 2020-11-19 at 12.17.54 PM

 

By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee, Yoon & Yang

 

 

Three primary data privacy laws in Korea are (i) the Personal Information Protection Act (“PIPA”) enacted in 2011; (ii) the Act on the Promotion of the Use of the Information and Communications Network and Information Protection (the “Network Act”) enacted in 1999; and (iii) the Credit Information Use and Protection Act (the “Credit Information Act”) enacted in 1995. The PIPA is a general law that regulates general matters of data protection, whereas the Network Act and the Credit Information Act are sector-specific laws. The Network Act applies to data protection for online service users. The Credit Information Act regulates credit information protection.

These three data privacy laws have recently been amended extensively. The amendments to the data privacy laws are intended to streamline the regulatory framework for data protection and governance, addressing the need for efficient use of data for the emerging economy based on new technologies such as artificial intelligence, cloud computing and big data.
The amendments to the data privacy laws came into force on August 5, 2020 except for certain amendments to the Credit Information Act which will take effect in 2021.

Screenshot 2020-11-19 at 3.10.25 PM

Key aspects of the amendments to the PIPA and their implications

(1) Regulatory authorities

Prior to the amendments, the data privacy laws were enforced by multiple regulatory authorities. The PIPA was regulated by the Ministry of the Interior and Safety (“MOIS”). The regulatory bodies responsible for the enforcement of the Network Act and the Credit Information Act were the Korea Communications Commission (“KCC”) and the Financial Services Commission (“FSC”), respectively. To streamline the overlapping layers of regulatory bodies, the amendments to the data privacy laws centralise the enforcement authority at the Personal Information Protection Commission (“PIPC”), transferring data protection tasks of the MOIS and the KCC to the PIPC. The PIPC has the authority to conduct investigations and impose corrective orders and administrative fines for violation of the data privacy regulations.

(2) Scope of personal information

The amended PIPA provides criteria for determining the scope of personal information. Prior to the amendments to the PIPA, the definition of “personal information” includes information that cannot identify an individual when used alone, but can be easily combined with other information to identify an individual. There was some obscurity as to the meaning of the phrase “easily combined with other information,” resulting in difficulty in enforcement. To address this issue, the amended PIPA provides more clear criteria such that the phrase “easily combined with other information” will be reasonably construed considering the time, cost and technology required to identify an individual as well as the availability of other information.

(3) Pseudonymised information and anonymised information  

The amended PIPA introduces the conceptual framework of “pseudonymised data” which is defined as information which has been pseudonymised such that it cannot identify an individual without using or combining with additional information to restore it to its original state. Pseudominisation refers to processing personal information by deleting part of personal information or replacing all or part of personal information so that it cannot identify an individual without additional information. Under the amended PIPA, data controllers can process pseudonymised data without the consent of the data subject for the purposes of statistics preparation, scientific research and record preservation for public interest.

The amended PIPA further clarifies that the regulations under the PIPA do not apply to anonymised information, i.e., information which cannot identify an individual even when combined with other information, reasonably considering time, cost and technology required for such combination.

(4) Use of personal information for purposes reasonably related to the original purpose may not require the data subject’s consent

Under the amended PIPA, data controllers may use or provide personal information without the consent of the data subject within a scope reasonably related to the original purpose of collection as notified to the data subject at the time of the collection of personal information, if certain conditions (such as security measures such as encryption) are satisfied. Thus, flexibility is expected in data processing within a reasonable scope.

Screenshot 2020-11-19 at 3.11.55 PM

Key aspects of the amendments to the Network Act and their implications

(1) Deletion of provisions similar to or overlapping with the PIPA

The amendments to the Network Act delete the provisions which are similar to or overlapping with the PIPA so that the general law of the PIPA can apply first for personal information protection. Most of the provisions under Chapter 4 of the Network Act are deleted, and the title of Chapter 4 of the Network Act is changed from “Personal Information Protection” to “Creation of a Safe Environment for the Use of Online Services.”

(2) Transfer of provisions to the PIPA

Among the provisions deleted from the Network Act, those that differ from the PIPA or exist only in the Network Act are transferred to Chapter 6 of the PIPA (“Special Provisions Regarding Processing of Personal Information by Online Service Providers”) to protect personal information of online service users. In the case of online service providers that do not have business places or addresses within Korea and whose sales or number of users exceed certain thresholds must designate a local representative to deal with matters concerning personal information protection.

Screenshot 2020-11-19 at 3.13.32 PM

Key aspects of the amendments to the Credit Information Act and their implications

(1) Relationship with the PIPA

To secure credit data protection, the amendments to the Credit Information Act adopt certain provisions under the PIPA with changes appropriate to the financial sector. Under the amended Credit Information Act, some provisions of the PIPA apply mutatis mutandis. The Credit information Act is a special act to the PIPA, meaning that the amended Credit Information applies over the amended PIPA in the case of any conflict between them.

(2) Use of big data by pseudonymisation or anonymisation

In line with the amendments to the PIPA, the amended Credit Information Act introduces the conceptual framework of pseudonymisation and anonymisation. Under the amended Credit Information Act, if a data expert institution designated by the FSC confirms that certain information has been properly pseudonymised or anonymised, such information is deemed to have been processed such that it cannot identify an individual. This is expected to ease legal uncertainty for financial institutions in their use of big data. Under the amended Credit Information Act, as under the amended PIPA, pseudonymised data can be used or provided without the consent of the credit data subject for statistics preparation, research and record preservation for public interest. The amended Credit Information Act further specifies that “statistics preparation” includes statistics preparation for commercial purposes such as market research, and “research” includes industrial research.

(3) Changes to consent requirement

The amended Credit Information Act allows certain financial service providers to notify the credit data subject solely of a summary of important matter when obtaining the consent of the credit data subject, unless otherwise required by the credit data subject.

Under the amended Credit Information Act, some financial service providers are assigned with a “consent level” evaluated by the FSC. Such service providers must inform the credit data subject of the consent level so that the credit data subject can be aware of potential consequences of their consent.

(4) Rights of the data subject

The amended Credit Information Act enhances the rights of the credit data subject by introducing the right to data portability, the right to object and the right to be informed concerning automated decision making and profiling.

(5) Punitive damage

The amended Credit Information Act expands the award of punitive damages for intentional or grossly negligent leakage of credit information up to five times the amount of compensatory damages.

 

Conclusion

The amendments to the privacy laws have significance in that they provide a regulatory framework not only for personal information protection but also for data use. By clarifying the definition of personal information and introducing the concept of pseudonymised data, the amendments to the privacy laws are expected to invigorate the emerging data economy based on new technologies.

While the privacy laws have been amended extensively at the same time, they contain partially different provisions with different scope of application. Therefore, there still remains the possibility that those provisions may be construed differently in the context of each privacy law. In that regard, the regulating authorities are expected to further publish subordinate regulations and guidelines.

It is also noteworthy that the amendments to the privacy laws introduce the concept of pseudonymised and anonymised data. However, necessary details for its application need to be further clarified.

 

Screenshot 2020-11-19 at 3.15.16 PM

W: http://www.yoonyang.com/

E:  kwlee@yoonyang.com
E:  hkhwang@yoonyang.com
E:  cglim@yoonyang.com
E:  klee@yoonyang.com

 

Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Data + Cyber Security Special Report 2020.

 

Related Articles by Firm
‘Untact’ business and cybersecurity in Vietnam
By Sungdo Choi and Ha Thi Tinh, Yoon & Yang
Webinar: Debt Financing – Structure and Regulation of Domestic and Foreign Loans in Vietnam
A recording of the presentation by Ji Hoon Cha and Ha Thi Tinh from Yoon & Yang Law (Vietnam) LLC made during In-House Community eCongress Vietnam ...
Yoon & Yang opens Ho Chi Minh City office
Yoon & Yang is opening an office in Vietnam, in the heart of Ho Chi Minh City’s central business district. ...
Recent examples of consent decrees in Korea and their implications
Despite an animated exchange of opinions regarding consent decrees since their introduction in Korea in 2011, expect the system to be used more actively in the future as companies have begun to view it as a viable way to resolve free-trade ...
Regulation of personal information in new fields
Focussing on topics such as big data, cloud computing and healthcare, Wonil Kim, Kwang-Wook Lee and Ji Hye Seol of Yoon & Yang examine how new technologies will affect personal information regulation in South Korea.
Related Articles
Core Points of the New PRC Company Law and Compliance Transformation of Limited Liability Companies
The Use of Hydrogen in the Energy System in Malaysia and the Relevant Laws and Regulations
Getting to know… Joe Liu
Related Articles by Jurisdiction
Firms Of The Year Results 2023 South Korea
Major amendments to the Product Liability Act
Since its introduction on July 1, 2002, the Product Liability Act has been enforced for the purpose of holding manufacturers, etc, liable for any damages caused to life, body or property resulting from defects of their products, according to the principle of ...
Current trends with Domain Name Disputes
There have been many instances where a company, intending to expand its business into the Internet world, learns that someone already has registered and owns the company’s business name on …
Latest Articles
IHC Magazine: July 2024 issue with focus on AML, Corruption and Sanctions
Simmons Names New Regulatory Head in Hong Kong
Atsumi & Sakai Opens new Office in Ho Chi Minh