On February 27, 2023, the proposed amendment to the Personal Information Protection Act (the “PIPA”) passed the National Assembly (the “Amended PIPA”). The Amended PIPA was subsequently approved by the Cabinet on March 7 and awaits promulgation on March 14. While the Amended PIPA will not take effect until at least September 15, 2023, it brings about significant changes to the existing data protection regime, including broader rights for data subjects, unified data privacy rules for all personal information controllers, and replacement of criminal punishments with economic sanctions (e.g., administrative fines and penalty surcharges). In this newsletter, we will dive deeper into the background and key aspects of the Amended PIPA.
I. Background
In August 2020, significant amendments were made to the PIPA, the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Network Act”), and the Credit Information Use and Protection Act (the “Credit Act”), collectively known as Korea’s “Three Major Data Laws.” The objective of these amendments was twofold: (i) establish a centralized organization/system to manage and protect personal information and (ii) promote the data economy. At that time, extensive discussions also took place about the need to further strengthen the rights of individuals as the next legislative task in response to the changes in the data environment.
As part of the amendments to the Three Major Data Laws, provisions on pseudonymized data were newly introduced to the PIPA to encourage the more active use of data, the then-Network Act’s provisions on data processing that applied to information and communications service providers (“ICSPs”) were transferred and integrated into the PIPA as special provisions applicable to the ICSPs (“Special Provisions”), and the Personal Information Protection Commission (“PIPC”) became Korea’s central administrative agency with jurisdiction over data privacy matters and responsible for enforcing the relevant laws.
Even with these amendments, however, there were criticisms that the laws continued to impose requirements that did not sufficiently reflect the changes brought on by the shift towards a data-driven era, such as the obligation to obtain “mandatory consent” for certain processing of personal information, rigid requirements placed on cross-border transfers of personal information, and bifurcated rules for online and offline businesses.
As a result, the Amended PIPA was introduced to further improve the nation’s main privacy law.
II. Key Aspects
1. Expansion of the legitimate grounds for the collection and use of personal information1
In the absence of the data subject’s consent, the existing PIPA allows for the collection and use of personal information only on limited grounds, including “where it is inevitably necessary to execute and perform a contract with a data subject.” Such bases on which personal information controllers may collect and use personal information without user consent have been expanded under the Amended PIPA, which allows for the processing of personal information without user consent “where it is necessary to perform a contract with a data subject or perform measures at the request of the data subject in the process of executing a contract.”
In other words, personal information controllers need not obtain consent to the collection and use of personal information that is essential for the provision of their products/services but bear the burden to establish such necessity. As we expect the PIPC to provide further guidance on this issue, including the scope of what is considered “essential” for the provision of products/services, companies are advised to closely monitor related developments.
2. Expansion of the data subjects’ rights2
- Right to Data Portability
The Amended PIPA has broadened the rights of data subjects with the introduction of the general right to data portability, which allows data subjects to request personal information controllers to transfer their personal information either to themselves or to a third party (e.g., other personal information controllers or institutions specializing in the management of personal information).
Further details on the right to data portability, such as the scope of information subject to the transfer request, the method of making and withdrawing the transmission request, the transmission period and method, and the method of refusing a transmission request or suspending the transmission, are to be prescribed by the Enforcement Decree.
- Right to Refuse or Request an Explanation on Automated Decision-making
The Amended PIPA also grants data subjects the right to refuse or request an explanation of a decision made through a fully-automated system (including those that use AI technology) if the decision significantly impacts the data subject's rights or obligations.
3. Removal of Special Provisions3
Under the existing data protection scheme, offline and online service providers (i.e., ICSPs) are subject to different sets of data protection rules. For example, under the currently-effective PIPA, personal information controllers who collect personal information without due consent may be subject to (i) an administrative fine of less than KRW 50 million if they operate offline and (ii) penalty surcharges of less than 3% of the revenue related to the violation if they operate online.
Under the Amended PIPA, however, all personal information controllers will become subject to the same rules, regardless of whether they operate offline or online. Specifically, Special Provisions that do not overlap4 with the provisions applicable to offline business (“General Provisions”) under the currently-effectively PIPA will now be applicable to offline businesses as well, while Special Provisions that overlap5 will be deleted and integrated as part of the General Provisions.
4. Shifting away from criminal sanctions towards economic sanctions6
By removing many of the criminal penalty provisions applicable to corporate personnel (e.g., CEO, chief privacy officer) in favor of economic sanctions on the companies themselves, the Amended PIPA encourages businesses to invest in and enhance the effectiveness of their personal information protection mechanisms.
Specifically, the Amended PIPA revises the penalty provisions by (i) revamping/abolishing those that impose excessive criminal sanctions on online businesses (i.e., ICSPs),7 and (ii) increasing the cap on penalty surcharges and broadening the scope of businesses subject thereto.
Accordingly, once the Amended PIPA takes effect, a penalty surcharge of up to “3% of total revenue,” which is a wider base than “3% of related revenue” under the existing PIPA, may be levied against all personal information controllers, not just ICSPs. The proper amount of penalty surcharge ultimately imposed on a business under the Amended PIPA may be adjusted to exclude the revenue that is “unrelated” to the violation, but the burden of proof is on the personal information controller to show that a certain amount of revenue was generated from acts unrelated to the violation.
5. Miscellaneous
- Standards for the operation of mobile visual data processing devices8
In line with the increasing use of mobile visual data processing devices such as drones and autonomous vehicles, the Amended PIPA includes a definition for “mobile visual data processing devices” in addition to the existing definition for the more traditional “fixed visual data processing devices”, such as CCTVs.
- Cross-border transfer of personal information and cease and desist order9
Under the existing PIPA, personal information can be transferred overseas only with the separate and specific consent of the data subject. However, under the Amended PIPA, if the country or international organization to which the personal information is transferred is recognized by the PIPC as having a practically equivalent level of data protection as under the PIPA, no separate consent needs to be obtained, which aligns with international standards on the cross-border transfer of personal information.
Furthermore, the Amended PIPA authorizes the PIPC to issue cease and desist orders to personal information controllers who transfer personal information overseas in violation of the PIPA.
- Privacy policy assessment and recommendations for improvements10
The Amended PIPA authorizes the PIPC to review and assess the privacy policies of personal information controllers and recommend improvements where it is deemed necessary based on the results of the assessment.
- Improvements to the Personal Information Dispute Mediation Committee11
The Amended PIPA requires all personal information controllers (not just public institutions as is stipulated under the existing PIPA) to participate in the dispute mediation process upon receipt of a mediation notice unless they have a justifiable reason. Notably, a personal information controller that fails to respond within 15 days from its receipt of a provisionary mediation decision will be deemed to have accepted the mediation decision.
Additionally, the Amended PIPA authorizes the Dispute Mediation Committee12 to investigate or access relevant materials by having its members or affiliated public officials enter the premises related to the case and request pertinent agencies to cooperate, such as by submitting materials or comments.
III. Implications
With the introduction of the data subject’s right to data portability, the Amended PIPA provides a basis for expanding the use of MyData13 to all sectors, including transportation, information and communications, and health and medical.
While the specific details on how to exercise the right to data portability (e.g., the method of making and withdrawing transmission requests, as well as the transmission period and method) are expected to be specified in the Enforcement Decree and thus will require further monitoring, there will be plenty for companies to do in the meantime to make sure their data processing practices adhere to the new law, in light of the many changes introduced by the Amended PIPA. The unification of previously bifurcated rules for offline and online businesses will likely lessen the risk of noncompliance by providing better consistency, but the amendments made to the penalty provisions will also increase the likelihood of more severe economic sanctions, which may present a new burden on personal information controllers. This is even more so because, although the shift towards economic sanctions lowers the risk that a data breach incident may result in criminal sanctions, the underlying intention behind the amendments is to allow penalty surcharges to be based on multinational businesses’ global revenues, as permitted under the GDPR.
Given the foregoing, companies conducting operations in Korea or servicing users based in Korea are advised to review and update their privacy policies and adjust their business practices to ensure compliance with the Amended PIPA once it takes effect.
1 Article 15(1)(iv) of the Amended PIPA.
2 Articles 35-2 and 37-2 of the Amended PIPA.
3 Deletion of Articles 39-3 through 39-15 of the current PIPA.
4 Provisions on the damage compensation system, domestic representative designation requirement, and notice requirement for the use of personal information.
5 Provisions regarding consent to the collection and use of personal information, the collection of personal information of children under the age of 14, notice and reporting of data breach incidents, and security safeguards.
6 Article 64-2 of the Amended PIPA.
7 Criminal penalty provisions applicable to ICSPs (e.g., the collection of personal information without consent, personal information leakage due to failure to take safeguard measures, failure to comply with the obligation to destroy personal information, and failure to obtain consent from the legal representative of children under 14 years of age) have been deleted.
8 Article 2, subparagraph 7-2 and Article 25-2 of the Amended PIPA.
9 Articles 28-8 and 28-9 of the Amended PIPA.
10 Article 30-2 of the Amended PIPA.
11 Articles 43(3) and 47 of the Amended PIPA.
12 Although technically the Dispute Mediation Committee is a stand-alone organization that is operated independently from the PIPC, it is closely affiliated with the PIPC. Commissioned members and the Chairperson of the Dispute Mediation Committee are commissioned by the Chairperson of the PIPC, and the PIPC has the authority to handle administrative affairs necessary for dispute mediation, such as receiving dispute mediation requests and conducting fact-finding for dispute mediation cases.
13 A service that allows individuals to manage their personal information scattered across different sectors on one platform.
[Korean version] 개인정보 보호법 제2차 개정안 국회 본회의 통과