The Personal Information Protection Act (“PIPA”) was enacted as a general law of personal information in March 2011 to fulfill the need for presiding rules to govern personal information protection. In fact, there have already been a number of special laws governing personal information protection in various special areas and cases, such as The Act on Promotion of Information and Communications Network Utilization Information Protection (“Network Act”) governing information and communications services, and the Use and Protection of Credit Information Act (“Credit Information Act”) governing personal credit information. Special laws prevail over the general law, when in conflict with individual articles of the general law.

Despite the overhaul of the legal system, large-scale personal data leakage cases involving large corporations and commercial banks have been reported in increasing numbers. Some cases are the result of external attacks, but many of the data leakages were due to the misconduct or negligence of the employees of the companies in question, or mishandling of information by the trustees who were entrusted with business affairs related to personal information. Of particular note, the trustees of personal information have been the most common source of leaks.