Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Korea: PIPA amendments result in amendments to Enforcement Decree

After thoroughly examining the amendments made to the Personal Information Protection Act (PIPA) in Timothy Dickens' previous Insight article and appreciating the practical and judicious approach taken by the Yoon administration, it would be remiss not to also delve into the revisions made to the Enforcement Decree of the Personal Information Protection Act (Decree), which took effect on September 15, 2023. Much like the symbiotic relationship exemplified by Forrest Gump's analogy, 'Jenny and me was like peas and carrots,' PIPA and the Decree go hand in hand. Any alteration to one necessitates a corresponding adjustment in the other to ensure they harmonize seamlessly.

To better understand these amendments and their practical implications more effectively, this Insight article tries to dissect them into easily digestible, bite-sized portions. Hopefully, this approach will satisfy your appetite for understanding.

Waehatman Waedarase / Essentials collection / istockphoto.com

What are the main takeaway amendments to the Decree?

Consent for processing personal information

The Decree aims to strengthen data subjects' rights under PIPA regarding their personal data processing. It emphasizes that consent must be freely given after clear communication of the choice to consent or not. Additionally, any policies for processing personal data should be presented in an easily comprehensible manner.

To obtain legitimate consent, the following conditions must be met:

  • consent must be given freely by the data subject;
  • details about the consent must be specific and clear;
  • the consent form's language must be plain and easily understood; and
  • the data subject must have a clear way to express their consent.

Consent stands as the cornerstone of PIPA, with regulatory emphasis consistently placed on this fundamental principle. The revised Decree solidifies this stance, introducing an additional layer of compliance that will undergo careful scrutiny by regulatory bodies during the assessment of privacy policies and procedures. In addition, one of the main reasons for the revisions, as revealed by the Personal Information Protection Commission (PIPC), was to address the limitations that the existing presidential decree, which only stipulated the 'formal' requirements for the consent method and did not explicitly outline the 'substantive content' of the consent method.

As many are aware, Korean regulators are known for their thorough examination of compliance, whether it pertains to domestic or international companies. Given Korea's civil law jurisdiction, there is limited leeway for interpretation, and the regulator generally maintains a stringent stance on matters of non-compliance.

Integration of rules for online and offline regulations

The Decree aims to implement a technology-neutral stance within the PIPA, ensuring consistent standards for the handling of both online and offline personal data. This move towards harmonizing currently scattered regulations and refining operational procedures is more attuned to the demands of our digital era. In essence, the main points under this aspect are:

  • Presently, online service providers meeting specific thresholds in revenue and user count within the information and communications service sector are mandated to notify data subjects about their data usage. The amended PIPA extended this requirement to all data controllers. According to the Decree, any data controller processing sensitive or personally identifiable information on a daily average of over 50,000 data subjects or personal information on a daily average of over 1 million data subjects during the three-month period prior to the end of the previous year, is obliged to notify data subjects.
  • Both standard data controllers and online service providers have a duty under PIPA to promptly notify data subjects and report data leaks to the PIPC or Korea Internet Security Agency (KISA). Nevertheless, there are disparities in the timing of these notifications and reporting obligations between standard data controllers and online service providers. The Decree stipulates that all data controllers will be required to notify data subjects within 72 hours unless there is a valid reason not to, and to report to the PIPC or KISA within 72 hours in cases where:
    •  the personal information of over 1,000 data subjects is compromised;
    • sensitive or personally identifiable information is exposed; or
    • personal information is leaked due to unauthorized external access, like hacking.
  • The Decree also outlines comprehensive regulations pertaining to security measures for protecting personal information, which apply universally to all data controllers. Furthermore, it eliminates the criterion of 'revenue generated from the information and communications service sector' from the qualifications used to appoint a domestic agent for online service providers. This adjustment allows the criteria for domestic agents to apply to standard data controllers as well.

These amendments were expected in light of the PIPA amendments and will require more vigilance from offline businesses in meeting their compliance requirements.

Mobile visual data

In light of the widespread use of mobile image processing devices such as drones and self-driving cars, the Decree stipulates that tools like CCTV and mobile phone cameras can be deployed and utilized. This is particularly crucial in situations where video recordings are vital for protecting human lives or addressing emergencies. Mobile visual data processing devices are classified into:

  • devices worn on the body and clothes (such as glasses and watches);
  • devices that can be easily carried, like mobile phones and digital cameras; and
  • devices that are fixed and attached to movable objects, such as drones and cars.

Regarding the regulation of visual data processing devices, the Decree introduces distinct rules for fixed and movable devices, providing specific guidance on the installation and operation of both types.

Under the previous PIPA's Article 25(1), fixed visual data processing devices like CCTV were limited to specific cases such as crime prevention or investigations, or premises safety. However, the amended PIPA and the Decree present exceptions to these restrictions. Specifically, fixed devices can be used in public spaces for statistical purposes like counting individuals entering or exiting, or for gathering demographic data like gender and age group, provided no recording takes place.

The amended PIPA introduced provisions related to movable visual data processing devices, allowing data controllers to film individuals and objects related to them in public areas for business purposes, under specific conditions. The Decree further elaborates on the usage of these movable devices.

When employing movable visual data processing devices for filming, data controllers are required to inform the subjects through means such as lights, sounds, signs, etc. However, in cases where informing subjects is challenging, such as aerial filming with drones, notification can be provided through alternative means as determined by the PIPC.

Generally, movable visual data processing devices should not be used to film the interiors of areas accessed by the public, like public baths, restrooms, or locker rooms, where there is a notable risk of intruding on others' privacy. Nevertheless, exceptions exist to allow the operation of these devices in such places in situations involving crimes, disasters, fires, or similar emergencies where video recording is crucial for rescue and medical assistance.

These amendments seem reasonable and remove unnecessary consent requirements where they are practically impossible. However, it will be interesting to see how regulators interpret and implement these changes in live situations and circumstances.

Revenue-based fines for violations

After its amendment, PIPA allows for potential administrative fines, also known as 'penalty surcharges,' of up to 3% of the total sales of the business found in violation. However, this calculation excludes sales that are unrelated to the violation. These revenue-based fines are applied to serious violations, such as the unauthorized collection or transfer of personal information. An important question has been how this differs from the previous rule, which allowed fines of up to 3% of 'sales related to' the violation. The Decree now provides clarification that 'total sales' will not include sales that are clearly unrelated to the processing of personal information and sales that can be shown to be unaffected, either directly or indirectly, by the violation.

Total revenue is defined as the average annual revenue of the three business years immediately preceding the relevant fiscal year when the violation occurred.

The Decree includes provisions that allow for exceptions to administrative penalties. These exceptions may apply when the data controller or other involved parties have justifiable reasons to believe their actions are lawful, when the violation is minor in nature and scope, or when the affected data subjects have suffered no or minimal harm, provided the criteria set by the PIPC are met.

These stipulations and clarifications in the Decree provide a clearer framework for the imposition of potential administrative penalties. It is important to note that fines will now be more substantial. This underscores the need for companies to exercise greater diligence in ensuring compliance with PIPA and to ensure that their internal systems and processes align with the explicit provisions of PIPA. A pertinent example is the significant fines imposed on technology companies, totaling $71 million in 2022, along with additional fines to technology and social media companies in 2023, amounting to roughly $7 million for breaches of PIPA.

Dispute resolution

Under the amended PIPA, all non-governmental data controllers are now required, as a general rule, to participate in dispute resolution concerning personal information. However, there are exceptions outlined in the Decree. These exceptions apply in scenarios where:

  • a lawsuit has been filed prior to the application for dispute mediation;
  • the dispute has already been settled, conclusively decided by a court, or determined by a dispute mediation body under another statute; or
  • an application is submitted to re-mediate a case that has already been decided or closed by the Dispute Mediation Committee. In such instances, data controllers are not obligated to engage in dispute resolution.

Additionally, concerning the fact-finding process in dispute resolution, the Decree stipulates that requests for information and fact-finding should be limited to what is necessary for the purpose of dispute resolution. The principle of affording all parties fair and adequate opportunities to present evidence and information is also emphasized.

Watchful

Similar to the adjustments made to PIPA, many of the amendments to the Decree contribute significantly to the positive direction set by the current administration in enhancing the practicality and efficacy of PIPA. Nevertheless, certain ambiguities remain regarding how authorities will construe, execute, and enforce some of these changes. If the grapevine is to be believed, the authorities are expected to release standard interpretation guidelines by year-end, offering clearer insights into the implementation and interpretation of the amendments to both PIPA and the Decree. Given the dynamic nature of data privacy regulations, there will always be a degree of uncertainty to navigate. However, with caution, one can navigate the maze of privacy regulations. This pivotal approach, as always, is to strike a balance between what is strictly mandated and what is realistically achievable. It is hoped that this summary will aid in that endeavor.

As an additional closing note, and to stay updated on new developments, the rights of data subjects to automated decisions, the right to request personal information transmission, and the work and qualifications of personal information protection officers are scheduled to be implemented after March 15, 2024. The Decree will be revised sequentially after the legislative notice for the enforcement. In particular, regulations related to the right to request personal information transmission are scheduled to come into effect on the date that will be specified by the Decree, starting one year after the date of promulgation of PIPA and not exceeding two years after the date of promulgation (March 15, 2024 to March 15, 2025).

Timothy Dickens Partner
[email protected]
DR & AJU LLC, Seoul