Law

The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal credit information.

The Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (“Network Act”) once functioned as a special statute that regulated the processing of users’ personal information by online service providers. However, after the substantial amendments to the PIPA and the Network Act on January 9, 2020, all provisions related to the processing and protection of personal information applicable to online service providers under the Network Act have been either removed or consolidated into the amended PIPA. The amendments to the PIPA and the Network Act went into force on August 5, 2020, and now the processing of personal information while providing online services is subject to the PIPA under a separate section exclusively dedicated to regulating online service providers (“Special Section”) further explained below. Note that other parts of the PIPA will also apply to “Online Service Providers” (defined as ‘telecommunications service providers’ as prescribed in Article 2, Item 8 of the Telecommunications Business Act and other persons who provide information or act as an intermediary for the provision of information for the purpose of earning profit, by utilizing the services rendered by telecommunications service providers) if the Special Section is silent on a given issue.

On December 5, 2022, the National Policy Committee of the National Assembly passed a bill (the “Proposed Amendment”) to amend the PIPA.

Definition of personal data

Under PIPA, “personal information” means information relating to a living individual that constitutes any of the following:

1. Information that identifies a particular individual by his / her full name, resident registration number, image, etc.
2. Information which, even if by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual (in this case, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured)
3. Information under items (a) or (b) above that is pseudonymised in accordance with the relevant provisions and thereby becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state (referred to as “pseudonymised information”).

Definition of sensitive personal data

Under the PIPA, “sensitive information” is defined as personal information concerning an individual’s ideology, faith, labor union

membership, political views or membership in a political party, health or medical treatment information, sexual orientation, genetic  information, criminal records and biometric data for the purpose of uniquely identifying a natural person and race / ethnic information. Sensitive information can be processed if (a) such processing is required or permitted by a statute, or (b) the consent of the data subject is separately obtained.

Definition of Unique Identification personal data

Under the PIPA, “unique identification information” is defined to be Resident registration number (“RRN”), driver’s license number, passport number, and foreigner registration number. Other information, apart from RRNs, can be processed if (a) such processing is required or permitted by statute, or (b) the consent of the data subject is separately obtained. RRN can only be processed based on a legal basis, irrespective of whether consent to the processing is obtained from the data subject.

The Personal Information Protection Commission (“PIPC”) is in charge of the enforcement of PIPA.

The PIPC shall perform the following work:

1. Matters concerning the improvement of law relating to personal information protection;
2. Matters concerning the establishment or execution of policies, systems or plans relating to personal information protection;
3. Matters concerning investigation into infringement upon the rights of data subjects and the ensuing dispositions;
4. Handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information;
5. Exchange and cooperation with international organizations and foreign personal information protection agencies to protect personal information;
6. Matters concerning the investigation and study, education and promotion of law, policies, systems and status relating to personal information protection;
7. Matters concerning the support of technological development and dissemination relating to personal information protection and nurturing of experts; and
8. Matters specified as the work of the PIPC by the PIPA or other statutes.

Under PIPA, there is no general rule regarding the registration of personal data controller, however, a public institution which manages a personal information file (i.e. collection of personal information) shall register the following with the PIPC. A “public institution” in this context refers to any government agency or institution.

• name of the personal information file;
• basis and purpose of operation of the personal information file;
• items of personal information which are recorded in the personal information file;
• the method to process personal information;
• period to retain personal information file;
• person who receives personal information generally or repeatedly; and
• other matters prescribed by the Presidential Decree.

The Presidential Decree of PIPA stipulates that the followings also shall be registered with the PIPC:

• the name of the institution which operates the personal information file;
• the number of subjects of the personal information included in the personal information file;
• the department of the institution in charge of personal information processing;
• the department of the institution handling the data subjects’ request for inspection of personal information; and
• the scope of personal information inspection of which can be restricted or rejected and the grounds therefore only “public institutions” are required to register with the PIPC.

Under PIPA, every personal data controller (which means any person, any government entity, company, individual or other person that, directly or through a third party, controls and / or processes personal information in order to operate personal information files as part of its activities) must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company.

The CPO’s obligations under the PIPA are as follows:

• establishing and implementing plans for the protection of personal information;
• performing periodic investigations and improving the status and practices of the processing of personal information;
• handling complaints and dealing with damage pertaining to the processing of personal information;
• establishing internal control systems for preventing leakage, misuse and abuse of personal information;
• establishing and implementing training sessions for the protection of personal information;
• protecting, managing, and monitoring personal information files;
• establishing, amending, and implementing a personal information processing policy;
• managing materials concerning the protection of personal information; and
• destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.

There are no nationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA.

Under the PIPA, there must be a specific legitimate basis for processing personal information, with the most representative basis being the data subject’s consent. As a result, in principle, the explicit consent of data subjects must be obtained before processing their personal information. However, the data subjects’ consent is not required in cases where the processing of personal information is prescribed by a statute or where it is necessary for an entity to process personal information in order to comply with its legal obligations.

Exceptions to the general rule above which are applicable to personal data controller are as follows:

• where there exist special provisions in any Act or it is inevitable to fulfil an obligation imposed by or under any Act and subordinate statute;
• where it is inevitable for a public institution to perform its affairs provided for in any Act and subordinate statute where it is inevitably necessary for entering into and performing a contract with a data subject;
• where it is deemed obviously necessary for the physical safety and property interests of a data subject or a third person when the data subject or their legal representative cannot give prior consent because they are unable to express their intention or by reason of their unidentified address; and
• where it is necessary for a personal data controller to realize their legitimate interests and this obviously takes precedence over the rights of a data subject. In such cases, this shall be limited to cases where such data is substantially relevant to a personal data controller’s legitimate interests and reasonable scope is not exceeded.

Exceptions to the general rule above which are applicable to Online Service Providers are as follows:

• if the personal information is necessary in performing the contract for provision of online services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason;
• if it is necessary in settling the payment for charges on the online services rendered; and
• if a specific provision exists in the PIPA or any other Act.

While one consent form may be used, separate consents must be obtained respectively for each type of processing activity (e.g. collection and use, third party provision) and for different types of personal information (e.g. unique identification information and sensitive information).

Under the PIPA, data subjects must be informed of, and provide their consent to, the following matters before their personal information is collected and / or used:

• the purpose of the collection and use;
• the items of personal information that will be collected;
• the duration of the possession and use of the personal information; and
• the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to any such refusal.

The collection and use or provision of the resident registration number (which is a type of unique identification information) is prohibited even with the consent of the data subject unless collection and use or provision is explicitly required or permitted under a statute.

When a certain business transfer occurs, the personal data controller must provide its data subjects a chance to opt out by providing a notice, including items of:

• the expected occurrence of personal information transfers;
• the contact information of the recipient of the personal information, including the name, address, telephone number and other contact details of the recipient; and
• the means and process by which the data subjects may refuse to consent to the transfer of personal information.

If the data subject or online service user is under the age of 14, the consent of their legal guardian must be obtained.

As a general rule, a personal data controller may not provide personal information to a third party without obtaining the prior opt in consent of the data subject.

Exceptions to the general rule above apply in the following cases:

• where there exist special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and subordinate statute;
• where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.; and
• where it is deemed obviously necessary for the physical safety and property interests of a data subject or a third person when the data subject or his / her legal representative cannot give prior consent because he / she is unable to express his / her intention or by reason of his / her unidentified address, etc.

Under the PIPA, a personal data controller must obtain consent after it notifies the data subject of:

• the person (entity) to whom the personal information is furnished;
• purpose of use of the personal information by the person (entity);
• types of personal information furnished;
• period of time during which the person (entity) will possess and use the personal information; and
• the fact that the data subject has the right to refuse to consent and the consequences of refusing.

While there is no additional requirement for the personal data controller other than the general requirements for third party transfer described above, there is a special provision for cross-border transfer of personal information of “Users” (which is defined as all individuals who use the telecommunications services provided by Online Service Providers). If a User’s personal information is transferred to an overseas entity, Online Service Providers must disclose and obtain the User’s consent with respect to the following:

• the specific information to be transferred overseas;
• the destination country;
• the date, time, and method of transmission;
• the name of the third party and the contact information of the person in charge of the personal information within the third party; and
• the third party’s purpose of use of the personal information and the period of retention and usage.

In principle, this requirement applies irrespective of whether the transfer constitutes a provision of personal information to a third party or an outsourcing of personal information processing, provided that the obligation to obtain Users’ consent may be exempted for outsourcing of personal information processing or storage of personal information if the aforementioned items are disclosed in the privacy policy.

Under the PIPA, when processing personal information acquired indirectly by way of a third party transfer, transferees who meet a certain threshold as provided by the Presidential Decree will be obligated to notify the data subject of (i) the third party source (transferor) from which the personal information was acquired, (ii) the intended use of the received personal information, and (iii) the fact that the data subject has the right to request for suspension from processing personal information.

Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information:

• establishment and implementation of an internal control plan for handling personal information in a safe way;
• installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information;
• measures for preventing fabrication and alteration of access / log records;
• measures for security including encryption technology and other methods for safe storage and transmission of personal information; and
• measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.

Under the PIPA, if a breach of personal information occurs the personal data controller must notify the data subjects without delay of the details and circumstances, and the remedial steps planned. If the number of affected data subjects is 1,000 or more, the personal data controller shall immediately report the notification to data subjects and the result of measures taken to PIPC or the Korea Internet & Security Agency (“KISA”).

Additionally, there is a special provision for Online Service Providers regarding data breach notification. When there is a data breach, the affected Online Service Provider is obligated to provide individual notices to online service users and file a personal information leakage report with the details of the leakage and the remedial steps planned to the PIPC or KISA, regardless of the number of affected data subjects.

Furthermore, under the Network Act, an Online Service Provider must, if it discovers an occurrence of intrusion:

• report it to the Ministry of Science and ICT (“MSIT”)  or KISA within 24 hours of knowledge of the intrusion; and
• analyze causes of intrusion and prevent damage from being spread, whenever an intrusion occurs.

The MSIT may, if deemed necessary for analyzing causes of an intrusion, order an Online Service Provider to preserve relevant data, such as access records of the relevant information and communications network.

The competent authorities may request reports on the handling of personal information, and also may issue recommendations or orders if a personal data controller violates the PIPA. Non-compliance with a request or violation of an order can result in fines, imprisonment, or both.

For example, PIPC, the supervising authority, can issue a corrective order in response to any breach of an obligation not to provide personal information to a third party. Breach of a corrective order leads to an administrative fine of not more than KRW 30 million. Prior to issuing a corrective order, PIPC may take an incremental approach and instruct, advise and make  recommendations to the personal data controller. On the other hand, where personal information has been transferred to a third party without the consent of the data subject and in the absence of exceptional circumstances, both the transferor and the transferee (if it received the personal information knowing that the data subject had not given consent) can be subject to criminal sanctions (imprisonment of up to 5 years or a criminal fine of up to KRW 50 million).

For Online Service Providers, there is a special provision under the Special Section which imposes an administrative surcharge of up to 3% of the relevant sales (or up to KRW 400 million if it is difficult to calculate the relevant sales) for violation of key obligations of Online Service Providers.

Punitive damages

In instances of data breaches caused by the personal data controller's intentional act or negligence, the personal data controller may be liable for three times the damages suffered.

Under the Network Act, anyone who intends to transmit an advertisement by electronic transmission media must receive the explicit consent of the individual, but if the individual either withdraws consent or does not give consent, then an advertisement for profit may not be transmitted.

In addition, the transmitter of advertisement information for profit must disclose the following information specifically within the advertisement:

• the identity and contact information of the transmitter; and
• instructions on how to consent or withdraw consent for receipt of the advertisement information.

A person who transmits an advertisement shall not take any of the following technical measures:

• a measure to avoid or impede the addressee's denial of reception of the advertising information or the revocation of his consent to receive such information;
• a measure to generate an addressee's contact information, such as telephone number and electronic mail address, automatically by combining figures, codes, or letters;
• a measure to register electronic mail addresses automatically with intent to transmit advertising information for profit, and various measures to hide the identity of the sender of advertising information or the source of transmission of an advertisement.

Cookie, logs, IP information, etc. are also regulated by the PIPA as personal information, which if combined with other information may enable the identification of a specific individual person easily. Under the PIPA, using cookies (or web beacons) must be done with the opt-out consent of the user and the privacy policy must publicize the matters concerning installation, operation and opt-out process for automated means of collecting personal information, such as cookies, logs and web beacons.

The protection of location information is governed by the provisions of the Act on the Protection, Use, etc. of Location Information (“LBS Act”).

Under the LBS Act, any person who intends to collect, use, or provide location information of a person or mobile object shall obtain the prior consent of the person or the owner of the object, unless:

• there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency
• there is a request by the police for the rescue of the person whose life or physical safety is in immediate danger, or there exist special provisions in any Act.

Under the LBS Act, any person (entity) who intends to provide services based on location information (“Location-based Service Provider”) shall report to the Korea Communications Commission (“KCC”). Further, any person (entity) who intends to collect location information and provide the collected location information to Location-based Service Providers (“Location Information  Provider”) shall obtain a license from the KCC.

If a Location Information Provider intends to collect personal location information, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

• name, address, phone number and other contact information of the Location Information Provider;
• rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
• details of the services the Location Information Provider intends to provide to Location-based Service Providers;
• grounds for and period of retaining data confirming the collection of location information; and
• methods of collecting location information.

If a Location-based Service Provider intends to provide location-based services by utilizing personal location information provided by a Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information:

• name, address, phone number and other contact information of the Location-based Service Provider;
• rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
• details of the location-based services;
• grounds for and period of retaining data confirming the use and provision of location information; and
• matters concerning notifying the personal location information subject of the provision of location information to a third party as below.

If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it must notify the subjects of personal location information of the third party who will receive the location information and the purpose of this provision.