The PIPA South Korea's Data Protection LawPIPA aims to enhance the right and interest of citizens by protecting their privacy from the “unauthorized collection, leak, abuse or misuse of personal information.
What is the PIPA
South Korea’s Personal Information Protection Act (“PIPA”) was enacted on September 30, 2011 and is considered to be one of the strictest data protection regimes in the world.
South Korea’s prior Public Agency Data Protection Act was largely limited. In the private sector, it applied only to those businesses that used telecommunications services. And in the public sector, the legislation covered all public agencies but lacked enough limits on government collection of data. The old Act was replaced with the more comprehensive PIPA, which applies to both public and private sectors. As a result, “more than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms.”
What is the Scope of the PIPA
Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.
Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action.
Who Does the PIPA Apply To
Scope of the Personal Information Protection Act
PIPA applies to personal information processing organizations, known as “data handlers,” that are defined as a person, government entity, company, individual, or any other person that, directly or through a third party, handles personal information for work or business purposes. Personal information refers to information pertaining to a living individual, which contains information identifying a specific person, such as name, national identification number, images, or other similar information.
Under the Act on the Promotion of Information and Communication Network Utilization and Information Protection (the “Network Act”), which supplements PIPA, personal information includes name, national identification number, letter, voice, sound image, and all other information that makes it possible to identify a specific person. The Network Act provides measures for protecting the personal information of users collected and used by the telecommunications business operators.
In addition to regulating personal information, the Acts impose compliance measures to ensure proper collection, use, and transfer, among other things, of users’ personal information. Technical and managerial protective measures must be taken in order to store personal information. Organizations must also inform data subjects of their rights and its obligations as a data handler.
Though the two Acts do not specify whether the laws apply to foreign organizations or acts occurring abroad, the Korea Communications Commission (the “KCC”), among other regulatory authorities, applies the Acts if foreign organizations target Korean users. In determining whether the Network Act applies, for example, the KCC will consider: (a) the location of the website’s server; (b) whether the website is written in the Korean language and the website uses a Korean domain name; and (c) whether the website conducts promotional activities in Korea. In January 2014, a multinational corporation was fined KRW 200 million by the KCC for collecting Korean users’ personal information without obtaining consent.
How Are Data Controllers and Data Processors treated
There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law.
There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.
What are the lawful bases for collection and data processing?
Lawfulness , Fairness and Transparency
The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes.
An information processor should use personal information only for the purposes specified to the data subject in any applicable consent.
Personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.
The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes.
The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.
What are the penalties?
South Korea also has a track record of enforcement of data protection laws. Chapter 9 of PIPA contains severe sanctions for data security breaches including substantial fines and imprisonment – up to 50 million won in fines and imprisonment of up to five years are potential consequences.
Relentless Your PIPA Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless PIPA Service What's Included?
Our PIPA Service Includes the Following
- PIPA Assessment
- Dedicated DPO
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Breach Support