On February 27, 2023, the National Assembly passed a bill containing a number of amendments to the Personal Information Protection Act (the Amended PIPA), Korea’s general data protection law.  The Amended PIPA, which represents the second step of the Korean government’s multi-step amendment process for the PIPA following the passage of the first amendment in 2020, is scheduled to go into effect 6 months from its promulgation date (which must take place within the next 15 days). However, certain provisions therein, including those relating to automated decision-making and the right to data portability, are scheduled to go into effect 12 months thereafter.

The legislative purpose of the Amended PIPA is to facilitate the use of personal information while strengthening the protection of data subjects’ rights and ensuring compatibility and interoperability with the global regulatory regime in the advent of the digital economy.  Accordingly, the Amended PIPA contains some significant changes in terms of substance.

In a series of 3 newsletters, we will take a closer look at some of the key provisions of the Amended PIPA as set out below.

Newsletter No. 1: Provisions relating to the processing of personal information in general

–       Unification of data protection rules for offline and online businesses

–       Revamping of provisions relating to administrative penalties and criminal penalties

–       Easing of requirements for the processing of personal information

–       Revamping of provisions relating to the mediation of disputes involving personal information

Newsletter No. 2: Provisions relating to the processing of special categories of personal information

–       Revamping of provisions relating to visual information processing devices

–       Introduction of rights relating to automated decision-making

–       New rules for cross-border transfers of personal information

Newsletter No. 3: Provisions relating to the right to data portability

In this first newsletter, we review some of the key provisions of the Amended PIPA relating to the processing of personal information in general.  Companies are advised to pay close attention to these provisions as they differ in certain respects to the previously proposed amendments thereto that were proposed by the Korean government back in January 2021 (the Government Proposal).

  1. Unification of data protection rules for offline and online businesses

The current PIPA prescribes one set of data protection rules for ordinary data controllers (a concept similar to that of a “data controller” under GDPR) and a different set of data protection rules for data controllers that are information communications service providers (or ICSPs, a concept which is interpreted quite broadly to include providers of a wide range of services offered over telecommunications or information services networks).  The Amended PIPA eliminates this discrepancy by subjecting ordinary data controllers and ICSPs to the same data protection rules and requirements based on the principle of the “same regulation of the same act.”  Accordingly, Chapter 6 (Articles 39-3 to 39-15) of the current PIPA, which applies only to ICSPs, is deleted in its entirety under the Amended PIPA.  However, certain special rules applicable only to ICSPs (i.e., some of the deleted provisions) have been (i) consolidated with other general provisions overlapping substantially therewith or (ii) expanded in scope for application to all data controllers after being moved elsewhere under the Amended PIPA.

The aforesaid unification of data protection rules are expected to address persistent criticism that the different data protection rules under the current PIPA, applying respectively to ordinary data controllers and ICSPs, create unnecessary confusion in regards to enforcement because the distinction between the two is not always clear.  These latest changes, however, may increase the compliance burden of offline businesses which will become subject to additional data privacy requirements under the Amended PIPA which currently apply only to ICSPs. Thus, offline businesses are advised to closely follow corresponding amendments to the Enforcement Decree of the PIPA to check if and to what extent they may be subject to such additional data privacy requirements.

  1. Revamping of provisions relating to administrative penalties and criminal penalties (Articles 64-2 and 71 ~ 73)

The Amended PIPA also seeks to revamp some of the administrative penalty and penalty provisions as follows.

  1. Consolidation of administrative penalty provisions

Under the current PIPA, different provisions prescribe administrative penalties for various violations ranging from (i) unlawful processing of pseudonymized information, (ii) leakage of resident registration numbers, and (iii) violations committed specifically by ICSPs, such as failures to obtain consent.  Under the Amended PIPA, however, all administrative penalties will be prescribed by a single provision – the newly created Article 64-2 – which will apply to both ordinary data controllers and ICSPs alike.

Offline businesses are advised to take note that the collection/use of personal information without consent and the collection/use of personal information of a data subject under 14 without his/her legal representative’s consent will be subject to an administrative penalty under the Amended PIPA instead of an administrative fine under the current PIPA.

  1. Changing the upper limit of administrative penalties

Under the current PIPA, the upper limit of the administrative penalty is 3% of the sales revenue related to the activity in violation of the PIPA.  Under the Amended PIPA, however, the upper limit of the administrative penalty will, in principal, be 3% of total sales revenue unless the data controller can successfully argue for the exclusion of any sales revenue unrelated to the activity in violation of the PIPA[1].  However, it should be noted that if a data controller refuses to submit sales calculation data without a justifiable reason or submits any such data that is false, the upper limit of the penalty may be calculated based just on 3% of total sales revenue, with the inclusion of sales revenue that appears unrelated to the activity in violation of the PIPA.

  1. Revamping of criminal penalty provisions

The Amended PIPA will prescribe the same criminal penalties for the same violations irrespective of whether such violations are committed by ordinary data controllers or ICSPs.  However, certain violations which are currently subject to criminal penalties will be subject only to administrative penalties under the Amended PIPA. Specifically, provisions in the current PIPA prescribing criminal penalties for (i) the leakage of personal information due to the data controller’s failure to implement mandatory security measures, (ii) an ICSP’s collection and use of personal information without consent, and (iii) a failure to destroy personal information have been deleted from the Amended PIPA.

  1. Easing of consent requirements for the processing of personal information

The Amended PIPA will ease certain requirements for the processing of personal information without the data subject’s consent as below.

  1. The current PIPA provides that personal information may be collected and used without the data subject’s consent in cases where such collection/use is “unavoidably necessary” for entering into and performing a contract with such data subject. However, the phrase “unavoidably necessary” will be deleted from the relevant provision (Art. 15(1)(iv)) in the Amended PIPA, thereby reducing the excessive reliance on the data subject’s consent as a legal base for the collection/use of personal information.
  2. In addition, the current PIPA provides that personal information may be used/provided beyond consented purposes if there exists a clear and urgent need to protect the life, physical body or economic interest of the data subject or a third party, and consent for such use/provision cannot be obtained because the data subject or his/her legal representative is unable to express his/her intent or his/her address is unknown. However, the phrase “and consent for such use/provision cannot be obtained because the data subject or his/her legal representative is unable to express his/her intent or his/her address is unknown” will be deleted from the relevant provision (Art. 18(2)(iii)) in the Amended PIPA, thereby easing requirements for the use/provision of personal information without consent in cases where there is an urgent need to protect the lives of individuals.
  3. Lastly, the Amended PIPA will contain newly created provisions (Art. 15(1)(vii) and Art. 18(2)(x)) that will permit the collection/use of personal information without consent and the collection/provision of personal information beyond consented purposes if urgently necessary to ensure public safety and well-being, including public health (e.g., prevention of the spread of COVID-19 and other infectious diseases).

  1. Revamping of provisions relating to the mediation of disputes involving personal information

To promote the mediation of disputes involving personal information by the Personal Information Dispute Mediation Committee (the PIDMC) as a more efficient alternative to litigation for the settlement of such disputes, the Amended PIPA will amend or newly create several provisions such as the following:

  • The scope of data controllers obligated to participate in mediation by the PIDMC (Art. 43(3)) has been expanded from public institutions (under the current PIPA) to data controllers in general.
  • Committee members of the PIDMC and public officials belonging to related organizations will be granted new authority to conduct relevant fact-finding by visiting locations related to the dispute to conduct investigations and view relevant materials (Art. 45(2),(3)).

Consequently, it is anticipated that data subjects will be able to exercise their rights more robustly than before by taking advantage of these improvements which, in turn, is expected to result in more dispute mediation cases before the PIDMC and a corresponding increase in the burden of data controllers to respond to such cases.

  1. Other amendments

Notably, the Amended PIPA will also contain, among others, the following provisions relating to the processing of personal information:

  • If a data controller determines that there is a risk of privacy infringement due to the inclusion of sensitive information in the information that will be disclosed in the course of providing goods/services, such data controller will be required to provide data subjects with prior notice of (i) the possibility that their sensitive information may be disclosed and (ii) the methods on how to choose not to disclose their sensitive information (Art. 23(3)).
  • New obligation imposed on data controllers to destroy pseudonymized information in their possession (Art. 28-7).
  • An evaluation system for privacy policies will be introduced which will allow them to be assessed for compliance with applicable requirements, including whether privacy policies have been prepared/disclosed in a manner easily understandable/viewable by data subjects, and provide for the recommendation of improvements (Art. 30-2).
  • The PIPC will be granted discretion to specially reduce or waive any administrative fines it has imposed after considering extenuating circumstances such as the severity/motivation/results of the activity in violation of the PIPA and the scale of the data controller’s business operations (proviso to Art.75(5)).

If you have any questions regarding this article, please contact below:

Kwang Bae PARK (kwangbae.park@leeko.com)

Jong soo (Jay) YOON (jay.yoon@leeko.com)

Hwan Kyoung KO (hwankyoung.ko@leeko.com)

Sunghee CHE (sunghee.chae@leeko.com)

Kyung Min SON (kyungmin.son@leeko.com)

For more information, please visit our website: www.leeko.com

[1] Initially, the Government Proposal only stated a maximum administrative penalty amount of 3% of total sales revenue, which was subsequently changed, after the public commentary period, to permit the exclusion of any sales revenue unrelated to the activity in violation of the PIPA.

More from Lee & Ko