On February 27, 2023, the National Assembly passed a bill containing a number of amendments to the Personal Information Protection Act (the Amended PIPA), Korea’s general data protection law.  The Amended PIPA, which represents the second step of the Korean government’s multi-step amendment process for the PIPA following the passage of the first amendment in 2020, is scheduled to go into effect from September 15, 2023, except certain provisions therein, including those relating to automated decision-making and the right to data portability.

The legislative purpose of the Amended PIPA is to facilitate the use of personal information while strengthening the protection of data subjects’ rights and ensuring compatibility and interoperability with the global regulatory regime in the advent of the digital economy.  Accordingly, the Amended PIPA contains some significant changes in terms of substance.

In a series of 3 newsletters, which will be circulated in short succession, we will take a closer look at some of the key provisions of the Amended PIPA as set out below.

Newsletter No. 1: Provisions relating to the processing of personal information in general

–       Unification of data protection rules applying to offline and online businesses

–       Revamping of provisions relating to administrative penalties and criminal penalties

–       Easing of requirements for the processing of personal information

–       Revamping of provisions relating to the mediation of disputes involving personal information

Newsletter No. 2: Provisions relating to the processing of special categories of personal information

–       Revamping of provisions relating to visual information processing devices

–       Introduction of rights relating to automated decision-making

–       New rules for cross-border transfers of personal information

Newsletter No. 3: Provisions relating to the right to data portability

 

In this third newsletter, we review the key provisions of the Amended PIPA relating to the right to data portability.

  1. Establishment of new provisions relating to the right to data portability

The Amended PIPA contains a new provision (Art. 35-2), which will go into effect on a to-be-determined date between 12 months and 24 months after its March 14, 2023 promulgation date, that grants data subjects the right to request transmission of their personal information to either themselves or third parties so long as such personal information is not generated from analysis/processing of the same collected by the data controller and meets the following criteria:

  • the personal information must have been (i) processed based on the consent of the data subject; (ii) processed to perform a contract executed with the data subject or to implement measures requested by the data subject in the course of executing the contract; or (iii) designated by the Personal Information Protection Commission (the PIPC) pursuant to a request from a central administrative agency for the data subject’s or public interest in cases where the transmission thereof is permitted by or unavoidably necessary for compliance with law; is unavoidably necessary for a public institution to conduct its statutorily prescribed tasks; or concerns sensitive information or unique identification information and its processing is permitted or required by law; and
  • the personal information must have been processed by an information processing device such as a computer.

Upon request from a data subject, the data controller must transmit the personal information in a commonly used and machine-readable format, which can be processed through a data processing device (e.g., computer), to the extent technically feasible and reasonable in terms of time and cost.  In addition, the PIPC will be authorized to create a personal information transmission support platform that will provide data subjects with certain information (e.g., items of personal information that can be transmitted, records of transmission requests/withdrawals made by data subjects) necessary for the transmission of their personal information.  In case of requests for transmission to a third party, the third party must be a professional institution specialized in personal information management (Specialized Institution) or another data controller that has implemented the requisite technical, managerial, and physical security measures and has satisfied relevant standards for facilities/equipment prescribed by the PIPA and its Enforcement Decree.

Further, the Amended PIPA contains an additional provision (Art. 35-3), scheduled to go into effect one year after its March 14, 2023 promulgation date, that will obligate organizations to receive designation as a Specialized Institution from the PIPC or the relevant central administrative agency when seeking to conduct any of the following tasks: (i) support data subjects with the exercise of their right to data portability; (ii) establish/standardize a personal information transmission system or manage/analyze personal information to support data subjects with the exercise of their rights; or (iii) any other tasks prescribed by the Enforcement Decree of the PIPA to effectively support data subjects with the exercise of their rights.

It is anticipated that forthcoming amendments to the Enforcement Decree of the PIPA will include further details of, among other things, the criteria for personal information which may be the subject of a transmission request, standards for determining which data controllers would be subject to the data subjects’ right to data portability, methods of requesting transmission, and the methods of transmission/transmission refusal/transmission suspension.

  1. Implications

The introduction of the right to data portability is intended to further strengthen the data subject’s control over his/her own personal information across all sectors where it processed, alleviate the monopolization of the processing of personal information by the major platform operators, and lay the groundwork for various economic entities, such as start-ups, to safely utilize personal information. Although there are differing views on what the actual impact of the right to data portability may be, the introduction of this right is likely to bring about significant changes in the way personal information is processed in Korea.

However, data standardization will be essential to facilitating the transmission of personal information between companies and across industries, and judging from precedents in the financial sector where a similar right to data portability was introduced previously in August 2020, this task is expected to pose considerable technical and economic challenges.

Furthermore, because the right to data portability under the Amended PIPA was designed to not only enhance the rights of data subjects but also to facilitate the data economy, this right differs to its namesake under the GDPR whose focus is mainly on the protection of data subjects and thus, the former may need to be interpreted differently from the latter in certain respects.  Therefore, due to this degree of uncertainty regarding how the interpretation and application of this PIPA right may take shape in the future, companies are advised to closely follow corresponding amendments to the Enforcement Decree of the PIPA and other regulations issued thereunder.

If you have any questions regarding this article, please contact below:

Kwang Bae PARK (kwangbae.park@leeko.com)

Jongsoo (Jay) YOON (jay.yoon@leeko.com)

Hwan Kyoung KO (hwankyoung.ko@leeko.com)

Sunghee CHE (sunghee.chae@leeko.com)

Kyung Min SON (kyungmin.son@leeko.com)

For more information, please visit our website: www.leeko.com

More from Lee & Ko