Amended Enforcement Decree of the Personal Information Protection Act of Korea

The amended Personal Information Protection Act of Korea (PIPA), Korea’s main legal framework for personal data protection, came into effect on September 15, 2023.  On the same date, the amended Enforcement Decree of the PIPA (the Enforcement Decree), which purports to provide detailed regulations on the amended PIPA provisions, also came into effect.  As with the amended PIPA provisions pertaining to the right to data portability and right to contest automated decision-making, among others, which are scheduled to take effect later than September 15, 2023, the corresponding amended Enforcement Decree provisions are expected to become effective at such later date.

The key changes introduced by the amended Enforcement Decree effective as of September 15 are as follows.

1. Protection of Personal Information of Children under the Age of 14 ( 17-2(1) of the amended Enforcement Decree)

• • To align with the amended PIPA’s newly established provision on the protection of personal information of children under 14, which applies to both online and offline businesses, the amended Enforcement Decree specifies methods applicable for all data controllers – i.e., both online and offline businesses – to obtain consent from a legal representative of children under 14 for processing of personal information.

2. Unified Rules on Online and Offline Businesses

• • Notification and Reporting of Data Breach ( 39 and 40 of the amended Enforcement Decree)
  • In relation to the amended PIPA provisions, which eliminate the previous varying notification and reporting obligations for online and offline businesses, the amended Enforcement Decree imposes an obligation on both online and offline data controllers to notify affected data subjects, and report to the relevant authority, of a data breach within 72 hours of becoming aware of the breach.
  • Also, the amended Enforcement Decree introduces for the first time a “risk-based approach” in assessing conditions that may trigger a reporting obligation, whereas under the pre-amended Enforcement Decree, a report obligation had been triggered regardless of the level of risk arising from the data breach.
  • Security Measures (Art. 30 of the amended Enforcement Decree)
  • As another step towards the unification of the different rules applicable to online and offline data controllers, the amended PIPA now applies the more stringent criteria previously applied to online data controllers only to all data controllers. The amended Enforcement Decree elaborates on details of such security measures to safeguard data subjects’ personal information, and based on the principle of technology neutrality, has also removed terminology that may cause misconception that certain technologies or equipment must be adopted, so that wide-ranging new technologies, such as the latest security and authentication technologies, may be introduced.  More specific details are expected to be provided in the forthcoming amendment to the Personal Information Protection Commission (PIPC)’s Notification on Security Measures for Safeguarding Personal Information.
  • Designation of Domestic Representative (Art. 32-2 of the amended Enforcement Decree)
  • The amended PIPA provision has expanded the obligation to designate a domestic representative previously applied to online data controllers only to all data controllers – i.e., both online and offline. In furtherance of the foregoing provision, the amended Enforcement Decree now provides that the threshold used to determine whether a data controller would be subject to the domestic representative designation obligation is based on the relevant data controller’s “total sales revenue” rather than the “sales revenue related to online business division” which is the criteria previously used under the pre-amended Enforcement Decree.

3. Cross-border Transfer of Personal Information (Arts. 29-8 to 29-12 of the amended Enforcement Decree)

• • The amended Enforcement Decree provides for detailed requirements and procedures for the two newly added legal bases for cross-border transfer of personal information without consent – i.e., (i) if the overseas recipient has a data protection certification as prescribed by the PIPC; and (ii) if the overseas recipient is a country or an international organization recognized by the PIPC as having an appropriate level of protection.
  • With respect to the newly granted power to the PIPC to order a data controller to suspend cross-border transfer under the amended PIPA, the amended Enforcement Decree sets out specific factors to be considered in determining whether to issue a suspension order. Any objection to the PIPC’s suspension order must be made within seven days from the date of receipt of the order, and the PIPC has 30 days to respond to the objection.  Further details of restrictions on cross-border transfer are expected to be embodied in the forthcoming amendments to the PIPC’s Notification on Management of Overseas Transfer of Personal Information.

4. Mobile Visual Information Processing Devices (Arts. 3(2) and 27-2 of the amended Enforcement Decree)

• • The amended Enforcement Decree provides for explicit definitions of “mobile visual information processing devices” to be (i) wearable devices, (ii) portable devices, and (iii) attachable devices. As for the method of indicating the fact that filming/photographing is taking place, it can be done through light, sound, signboards, written guides, announcements, or other similar means.  However, in the event that it is difficult to notify the data subject of the filming/photographing due to the nature of the recording method, such as aerial filming using drones, notification can be made through an Internet website to be developed by the PIPC.

5. Administrative Penalties and Fines (Arts. 60-2 and 63 and Tables 1-5 and 2 to the amended Enforcement Decree)

• • In relation to the increased upper limit of the administrative penalty for a violation of the PIPA from “3% of the sales revenue related to the violation” to “3% of the total sales revenue” under the amended PIPA (with the possible exclusion of sales revenue unrelated to the violation if successfully proven by the data controller), the amended Enforcement Decree sets forth detailed criteria for determining “sales revenue unrelated to the violation.” In addition, the amended Enforcement Decree has updated the thresholds used to calculate an administrative penalty amount, including the change of fixed base rates (%) to be in ranges, upward adjustments in the base penalty amounts (which become applicable when no sales revenue amount is available), and change of three levels/grades of severity of the violation (which is designed to determine the applicable base rate or the base penalty amount) to four levels/grades.  More specific details are expected to be included in the forthcoming amendments to the PIPC’s Notification on Detailed Standards for Imposition of Administrative Fines.

• • It is noteworthy that along with the reduction or exemption of administrative fines provided in the amended PIPA, the amended Enforcement Decree further specifies additional mitigating factors to be considered in reducing or exempting administrative fines.

*            *            *

Lee & Ko’s Data Privacy & Cybersecurity Group is recognized as the leader in the field of data protection and data security in Korea, having the largest practice in terms of the number of attorneys and advisors specializing in the field, prestige level of clients and major cases handled each year.  With our in-depth expertise and accumulated experience, we offer top-notch legal services, ranging from advice on personal data and data security-related issues, regulatory and licensing, and transactional work, to investigatory, litigation and dispute resolution cases.  Please contact us if you have any questions, or require our advice or assistance regarding the amended PIPA and amended Enforcement Decree.

 For more information on the amended PIPA, please refer to the links below:

Second Major Amendment to the Personal Information Protection Act Passed by National Assembly (I) (link)

Second Major Amendment to the Personal Information Protection Act Passed by National Assembly (II) (link)

Second Major Amendment to the Personal Information Protection Act Passed by National Assembly (III) (link)