On January 6, 2021, the Personal Information Protection Committee (PIPC) proposed and announced for public comment significant amendments to the Personal Information Protection Act (PIPA) (the Proposed Amendments). We discuss some of the key aspects of the Proposed Amendments in greater detail below.
Redefining the relationship between the PIPA and the special provisions under other laws regarding data protection
The current PIPA provides that while the PIPA generally applies to the protection of personal information, special provisions set forth in other data protection laws will take precedence over the relevant provisions of the PIPA to the extent that those provisions are conflicting with each other. This outcome has created much confusion in the market with respect to the precise scope of the applicability of the relevant PIPA provisions and the special provisions, and such confusion sometimes resulted in inconsistency in the protection of personal information. To address this inconsistency, the Proposed Amendments provide that, in principle, the provisions of the PIPA will now override the special provisions of other laws, except when applying such other laws would be more beneficial to the protection of personal information. As such, once the Proposed Amendments are adopted, the status of the PIPA as the general law on personal information protection is expected to be reinforced, and the minimum level of protection is also expected to be generally upgraded.
Unification of different data protection rules applying to ordinary data handlers and data handlers which are ICSPs
The current PIPA prescribes one set of data protection rules for ordinary data handlers (which is a concept similar to ‘data controller’ under GDPR) and a different set of data protection rules for data handlers that are information communications service providers (‘ICSPs,’ a concept which is interpreted quite broadly to include providers of a wide range of services offered over telecommunications or information services networks). The Proposed Amendments propose to eliminate this discrepancy by subjecting ordinary data handlers and ICSPs to the same data protection rules and requirements, including those relating to the legal bases for a data handler’s collection and/or use of personal information, restrictions on the cross-border transfer of personal information and data breach reporting/notification obligations. So, once the Proposed Amendments are adopted, all legal bases available under the PIPA for a data handler’s collection and/or use of personal information will apply equally to ordinary data handlers and data handlers that are ICSPs.
Expansion of legal bases for provision to third parties
Under the current PIPA, the provision of personal information to a third party is permitted only in cases where: (i) consent for such provision is obtained from the data subject, (ii) such provision is specifically required or permissible under other applicable laws and regulations, (iii) necessary to comply with the data handler’s obligations under other applicable laws and regulations, or (iv) if there exists a clear and urgent need to protect the life, physical or economic interest of the data subject or a third party, and consent for the provision of personal data cannot be obtained in an ordinary manner because the data subject (or his/her legal guardian) cannot express his/her intent or his/her address is unknown.
The Proposed Amendments propose to add new legal bases for the data handler’s provision of personal information to third parties as follows: (i) where provision is necessary to achieve a legitimate interest of the data handler and where such interest clearly overrides the rights of the data subject, and (ii) where personal information needs to be processed urgently for public health or other purposes related to public safety/welfare and where the personal information in question is only processed temporarily.
As such, the Proposed Amendments propose that Article 58(1)3 of the current PIPA be transferred to Article 17(1)2. Under the current PIPA, Article 58 extensively excludes the application of the PIPA’s personal information protection provisions, including those regarding processing and safe management of personal information and guarantee of the rights of data subjects in cases involving public health/safety issues. Once the Proposed Amendments are adopted, only the application of the consent requirements regarding the collection and/or use of personal information under Article 17(1)2 would be excluded in cases involving public health and safety issues, while other personal information protection provisions of the PIPA would continue to be applicable to such cases.
New rules regarding mobile visual information processing device
Since the current PIPA includes special provisions only for ‘stationary’ visual information processing devices (e.g. CCTV), individual consent of the data subject is required under the PIPA to collect and use the personal information obtained through a ‘mobile’ visual information processing device such as a drone or an autonomous driving vehicle. So, the PIPA has caused difficulties for those companies seeking to utilize personal information for industrial purposes. Under the Proposed Amendments, the filming of personal information through a mobile visual information processing device would be allowed when the data subject does not expressly refuse to be filmed even though the data subject is aware of such filming as indicated by light, sound, sign, etc. or the data subject could know that the filing is taking place. Also, the Proposed Amendments establish a standard procedure for safe operation of mobile visual information processing devices.
Introduction of new rights for data subjects
The Proposed Amendments introduce the right to data portability and the rights regarding automated decision-making. These rights are based on and nearly identical to the rights stipulated in Article 20 (right to data portability) and Article 22 (automated individual decision-making, including profiling) of the GDPR. However, it remains to be seen if these newly-proposed rights for data subjects will be enacted in their current form given the recent strong backlash from various industries — in particular, against the right to data portability.
New rules for cross-border transfers
The PIPA currently provides for different consent requirements between ordinary data handlers and data handlers that are ICSPs for the cross-border transfer of personal information. The Proposed Amendments seek to eliminate this dual approach by adopting the same new rules for both ordinary data handlers and data handlers that are ICSPs regarding cross-border transfers. Some key aspects of these new rules are summarized below.
- Similar to the GDPR, the new rules will permit cross-border transfers of personal information without consent to those jurisdictions/international organizations that have been specifically recognized by the PIPC as having essentially equivalent levels of data protection as Korea.
- The new rules permit cross-border transfers of personal information without consent in several cases, including those in which an overseas recipient has obtained certification from an organization designated by the PIPC.
- The new rules prescribe slightly modified notice/consent requirements for cross-border transfers of personal information based on the existing rules applicable to ICSPs.
- The PIPC will be newly authorized to order data handlers to cease cross-border transfers of personal information when: (i) such data handlers have violated any provisions related to cross-border transfers; (ii) it is clearly evident that the recipient or the jurisdiction of the cross-border transfer is not adequately protecting personal information; or (iii) it is clearly evident that there will be an unfair infringement of the rights of data subjects due to a cross-border transfer
It should, however, be noted that, unlike the EU GDPR, the Proposed Amendments do not specify standard contractual clauses or binding corporate rules as a legal basis for a cross-border transfer.
Changes to the rules regarding the PIPA enforcement
Under the Proposed Amendments, it would be easier for the PIPC to impose a corrective order, as the Proposed Amendments simplify the requirements for imposing corrective orders. The PIPC will be permitted to issue a corrective order when a data handler violates the PIPA. Under the current PIPA, the PIPC is authorized to issue a corrective order when there is a violation likely to cause irreparable damage to data subjects if such violation goes uncorrected.
Also, under the current PIPA, the PIPC may publish information on a violation of the PIPA by a data handler and impose sanctions on such data handler. The Proposed Amendments authorize the PIPC to order the data handler in violation of the PIPA to publish such information.
More importantly, the Proposed Amendments provide for significant changes to the rules on both criminal and administrative sanctions. Under the current PIPA, the data handlers and the individual directly responsible for the violation of the PIPA may be subject to a criminal liability. However, under the Proposed Amendments, only those responsible for violations committed for the purpose of benefiting themselves or third parties are subject to a criminal liability, thereby reducing the risk of triggering a criminal penalty.
On the other hand, the rules regarding the imposition of an administrative penalty are simplified and strengthened. Under the current PIPA, an administrative penalty can be imposed only for the following violations: (i) unlawful processing of pseudonymized information by data handlers including ICSPs, (ii) leakage of resident registration number by ordinary data handlers, and (iii) violation of multiple provisions of the PIPA by an ICSP, such as the failure to obtain data subject’s consent. Under the Proposed Amendments, the PIPC will be authorized to impose an administrative penalty more extensively on ordinary data handlers. Also, the upper limit of the administrative penalty will be increased to up to 3% of the total sales revenue, rather than the relevant sales revenue. So, once the Proposed Amendments are adopted, the risk of incurring a criminal liability (including an imprisonment) for a PIPA violation would be reduced, while the risk of being subject to an administrative sanctions (e.g., an administrative penalty) would be increased.
Also, there are proposed changes to the current dispute mediation procedure for settling a dispute between data handlers and data subjects by the Personal Information Dispute Mediation Committee (PIDMC). It is anticipated that data subjects may more frequently look to this dispute mediation procedure once the Proposed Amendments are adopted by the National Assembly. As proposed in the Proposed Amendments, the PIDMC will have power to investigate the relevant facts, and the data handlers will be obligated to respond to the request for dispute mediation by participating in the mediation process.
Given the changes above proposed by the Proposed Amendments, it is anticipated that the PIPC would be encouraged to enforce the PIPA more aggressively once the Proposed Amendments are adopted.
At this point, it is not clear if and when the Proposed Amendments will be adopted by the National Assembly, and it is possible that the Proposed Amendments may be revised based on the comments received through the public comment process, which was completed on February 16. Nonetheless, given the fact that the Proposed Amendments were drafted and proposed by the PIPC (as a second part of the PIPC’s intended multi-step amendment process for the PIPA following the first amendment already passed in 2020), most of the provisions in the Proposed Amendments are expected to remain unchanged (or with some minor modifications). Regardless of the outcome of the Proposed Amendments, the Proposed Amendments provide meaningful insight into how the PIPC intends to amend and enforce the PIPA in the future.
If you have any questions regarding this article, please contact below:
Samuel (Soon-Yub) KWON (email@example.com)
Kwang Bae PARK (firstname.lastname@example.org)
Jong Soo (Jay) YOON (email@example.com)
Sung Hee CHAE (firstname.lastname@example.org)
For more information, please visit our website: www.leeko.com