Introduction

The PIPC has operated on the premise that the PIPA's application is not limited to domestic companies, and as a result, has not shied away from levying sanctions on foreign businesses. One of the most common criticisms that foreign businesses have faced in South Korea is their lack of compliance with the PIPA's consent requirements when collecting and processing the personal information of South Korean users, a point which has often been raised in recent years during the National Assembly's annual audit of state affairs. This has led the PIPC to impose a fine on a social media company and a streaming service company in 2021 for collecting facial recognition data without users' consent, and collecting personal information from prospective users without consent before the individuals completed the subscription process, respectively, in violation of the PIPA. More recently, in 2022, the PIPC slapped record fines totaling KRW 100 billion (approx. $72,500 million) on two technology companies for collecting and processing the behavioral data of users without consent for targeted advertisements.

While it is sometimes relatively clear whether the PIPA is applicable, as it was in the above cases, a level of uncertainty remains in other instances, given that the PIPA is silent on its extraterrestrial application. As the number of foreign service providers operating in South Korea increases in the number and the scope of their businesses expands, this uncertainty has been compounded and led to confusion among foreign companies over what they are permitted or required to do versus not. The PIPC released the Guidelines to help address these concerns and lower the risk of incompliance for foreign businesses. The Guidelines, which are similar in form to the EU's Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), are written in an easy-to-understand manner, focusing on specific examples, with a particular emphasis on issues that overseas businesses need to be especially aware of and comply with, considering past cases of non-compliance.

Key aspects of the Guidelines

The Guidelines consist of three main parts: the principles underlying the application of the PIPA, the detailed application criteria, and the requirements upon application.

Principles

Unlike the General Data Protection Regulation (GDPR), the PIPA does not contain an explicit provision on the law's application to foreign businesses. However, the Guidelines explain that overseas companies are still subject to the PIPA based on the general principles of applying South Korean laws and the individual provisions of the PIPA. Specifically, the Guidelines mention that in principle, South Korean laws including the PIPA apply to all acts performed within the South Korean territory or committed by a South Korean national, as well as any acts that infringe on the interests of South Korea as a nation or a South Korean national, regardless of the nationality of the actor and the place where the act occurred. Furthermore, the PIPA does not limit its scope and applicability to South Korean nationals or South Korean data subjects.

Application criteria

According to the Guidelines, the PIPA may apply where an overseas company provides goods or services to South Korean data subjects, the processing of personal information by an overseas company affects South Korean data subjects, or the overseas company has a place of business in the territory of South Korea.

In determining whether a foreign business provides goods or services to South Korean data subjects, various factors such as the language, currency, and form/manner used to provide the goods or services will be comprehensively considered. Therefore, if the company operates a website and uses a Korean country domain (.kr) or a separate local domain for South Korea (such as ko-kr) in its internet address, launches a service for Korea in an app market, or provides services only in Korean, the company may be viewed as providing goods or services to South Korean data subjects.

Even if a foreign business does not provide goods or services to South Korean data subjects, it can still be subject to the PIPA if the company can reasonably foresee that its processing of South Korean data subjects' personal information will have a direct and significant impact on the relevant individuals. The impact on South Korean data subjects is determined on a case-by-case basis. For example, if a company provides a service based on its collection of personal information of South Korean data subjects which the company then discloses on its website, a 'direct and significant' impact on the Korean data subjects is anticipated and thus the company will be required to comply with the PIPA.

Finally, the PIPA can also come into play when a foreign company maintains a place of business in Korea where data processing activities take place. For instance, if a global service provider designates its local entity in South Korea as the personal information controller for South Korean data subjects, the local entity so designated will become subject to the PIPA. However, if there is no relevance between the global service provider's data processing activities and the operations undertaken by the local entity, this may not be the case.

Matters to be observed by foreign business subject to the PIPA

In principle, foreign businesses subject to the PIPA must comply with all the requirements under the PIPA. Below is a summary of the key requirements that foreign businesses must observe but often overlook.

Notification and reporting of data breach

Notice to affected data subjects and reporting to the competent authority must be made within 72 hours of becoming aware of a data breach. A company is deemed to have constructive awareness of a data breach even where the extent of the incident is not fully ascertained if the company is aware of the fact that a data breach incident occurred and does not classify data subjects by country in managing its personal information processing system. However, if the incident analysis can confirm within the 72-hour period that the personal information of South Korean data subjects was not leaked as a result of the breach, the incident does not have to be reported to the competent authority.

Disclosure of privacy policy

Foreign businesses subject to the PIPA must prepare and disclose a privacy policy in Korean to ensure that all South Korean data subjects can easily understand how their personal information will be processed. The privacy policy should not merely be a translation of a privacy policy originally prepared in accordance with another country's law, but rather be specifically written and disclosed pursuant to the PIPA's requirements. Also, instead of disclosing the company's global privacy policy on its website and providing a link to the Korea-specific addendum on a separate page, foreign businesses are advised to, wherever feasible, set up their websites such that the privacy policy accessible to South Korean data subjects contains all the requirements under the PIPA as well on a single webpage.

Under the recently amended PIPA, the PIPC may evaluate the adequacy of a privacy policy, by taking into account whether the privacy policy contains all the information prescribed by the PIPA, is written in an easily understandable manner, and is easily accessible by the data subjects. If the PIPC finds that improvements are needed following its assessment, it has the authority to suggest them. Therefore, it is important for overseas businesses to establish their privacy policies in accordance with the PIPA's requirements. For more details, please refer to the PIPC's Guide for Preparing Privacy Policies.

Coverage of damage compensation liability

Foreign businesses that satisfy the threshold set forth by the Presidential Decree of the PIPA, which takes into account factors such as sales revenue and the volume of personal information retained by the business, must take necessary measures such as purchasing insurance, joining a mutual aid organization, or setting aside reserves on a per-service (or goods) provider basis to cover its potential liabilities for damages.

If a global company's foreign headquarters and South Korean branch office each separately provide services to South Korean data subjects, the headquarters and the branch must individually assess their number of users and sales revenue and secure the necessary insurance coverage or reserves. However, if the insurance policy or mutual aid organization purchased or joined by the headquarters includes liability coverage for damages that stem from the South Korean branch office's provision of goods or services, it would not be necessary for the South Korean branch to separately subscribe to insurance or join a mutual aid organization.

It is also not mandatory for foreign businesses to purchase insurance or join a mutual aid organization provided by a South Korean entity, but if they opt for a foreign insurance policy or join a mutual aid organization in another country, liability for damages under the PIPA need to be included in the coverage scope.

Designation of a domestic agent

Similar to the GDPR's representative requirement, an overseas company with no address or place of business in South Korea must designate a domestic agent if the company's revenue or scale of personal information retained exceeds a certain level, or the company was requested to submit relevant materials and for whom the PIPC deliberates and resolves on the need for such designation. If an overseas company has a subsidiary in South Korea or a local entity over which it can exercise dominant power with respect to the said entity's composition of executive officers and business operations, the Guidelines advise that the subsidiary or local entity be designated as the domestic agent. Either a natural person or a corporation with an address or place of business in South Korea is qualified to act as a domestic agent. While the domestic agent does not have to be a South Korean national, they must be able to fluently communicate in the Korean language, because the agent must handle domestic users' complaints related to personal information and submit accurate information and materials to the regulators upon request.

Takeaways

Violations of the PIPA are punishable by, among others, a penalty surcharge, the amount of which is based on the company's revenue. Following the PIPA's amendment, the maximum penalty surcharge that can be levied by the PIPC is 3% of the company's total global revenue and thus is not limited to sales in South Korea. Revenue that is unrelated to the violation is excluded from the total revenue when calculating the penalty surcharge, but the burden of proof falls on the company. The Guidelines explain that if a violation committed by a foreign business or the results of its illegal processing of South Korean data subjects' personal information affect the overall goods or services provided by the company across the world, the relevant sales can be considered as sales related to the violation.

Since its elevation to an independent regulatory agency in August 2020 with complete power over all data protection issues in South Korea, the PIPC has imposed fines totaling KRW 113.3 billion (approx. $82 million) on overseas businesses, reflecting its commitment to heavily sanction any violations of the law. As such, overseas businesses should carefully review the Guidelines to determine whether they fall within the scope of the application, and if so make efforts to ensure compliance with the PIPA.

HoSang Yoon Partner
[email protected]
Hyein Lee Senior Foreign Attorney
[email protected]
Shin & Kim LLC, Seoul