LAW

In the past, South Korea did not have a comprehensive law governing data privacy. However, a new law relating to protection of personal information (Personal Information Protection Act, "PIPA") was enacted and became effective as of 30 September 2011.

Moreover, there is sector specific legislation such as:

  • The Act on Promotion of Information and Communication Network Utilization and Information Protection ("IT Network Act") which regulates the collection and use of personal information by IT Service Providers, defined as telecommunications business operators under Article 2.8 of the Telecommunications Business Act; and other persons who provide information or intermediate the provision of information for profit by utilizing services rendered by a telecommunications business operator;
  • The Use and Protection of Credit Information Act ("UPCIA") which regulates the use and disclosure of Personal Credit Information, defined as credit information which is necessary to determine the credit rating, credit transaction capacity, etc. of an individual person. The UPCIA primarily applies to a Credit Information Providers/Users, defined under Article 2.7 of the UPCIA as a person (entity) prescribed by Presidential Decree thereof who provides any third party with credit information obtained or produced in relation to his/her own business for purposes of commercial transactions, such as financial transactions with customers, or who has been continuously supplied with credit information from any third party to use such information for his/her own business; and
  • The Act on Real Name Financial Transactions and Guarantee of Secrecy ("ARNFTGS") which applies to information obtained by financial or financial services institutions.

Under PIPA, except as otherwise provided for in any other Act, the protection of personal information shall be governed by the provisions of PIPA.

DEFINITION OF PERSONAL DATA

Under PIPA, information pertaining to a living individual, which contains information identifying a specific person with a name, a national identification number, images, or other similar information (including information that does not, by itself, make it possible to identify a specific person but that which enables the recipient of the information to easily identify such person if combined with another information).

Under the IT Network Act, information pertaining to a living individual, which contains information identifying a specific person with a name, a national identification number, or similar in a form of code, letter, voice, sound, image, or any other form (including information that does not, by itself, make it possible to identify a specific person but that enables to identify such person easily if combined with another information).

The relevant Korean authorities' understanding is that the construction of Personal Data under PIPA and that under IT Network Act are same in spite of subtle difference in definition wordings.

DEFINITION OF SENSITIVE PERSONAL DATA

Under PIPA, Sensitive Personal Data is defined as Personal Data consisting of information relating to a living individual's: (i) thoughts or creed; (ii) history regarding membership in a political party or labor union; (iii) political views; (iv) health care and sexual life; and (v) other Personal Data stipulated under the Enforcement Decree (the Presidential Decree) which is anticipated to otherwise intrude seriously upon the privacy of the person. The Enforcement Decree of PIPA includes genetic information and criminal record as Sensitive Personal Data. IT Network Act also has a similar definition.

NATIONAL DATA PROTECTION AUTHORITY

The Minister of Public Administration and Security (the "MOPAS") is in charge of the execution of PIPA.

The Korea Communications Commission (the "KCC") is in charge of the execution of the IT Network Act.

REGISTRATION

Under PIPA, a public institution which manages a Personal Data file (collection of Personal Data) shall register the following with the MOPAS: (a) name of the Personal Data file; (b) basis and purpose of operation of the Personal Data file; (c) items of Personal Data which are recorded in the Personal Data file; (d) the method to process Personal Data; (e) period to retain Personal Data; (f) person who receives Personal Data generally or repeatedly; and (g) other matters prescribed by Presidential Decree. A "public institution" in this context refers to any government agency or institution.

The Presidential Decree of PIPA stipulates that the followings also shall be registered before MOPAS:

  • the name of the institution which operates the Personal Data file;
  • the number of subjects of the Personal Data included in the Personal Data file;
  • the department of the institution in charge of Personal Data processing;
  • the department of the institution handling the Personal Data subjects' request for inspection of Personal Data; and
  • the scope of Personal Data inspection of which can be restricted or rejected and the grounds therefore.

Only "public institutions" are required to register before the MOPAS.

DATA PROTECTION OFFICERS

Under PIPA, every Data Handler (which means any person, any government entity, company, individual or other person that, directly or through a third party, handles Personal Data in order to manage Personal Data files for work purposes) must to designate a data protection officer.

Under IT Network Act, every IT Service Provider must designate a director or chief officer of department in charge of handling Personal Data as a data protection officer. Pursuant to Presidential Decree of the IT Network Act to, an IT Service Provider with less than 5 employees, the owner or representative director shall be the person in charge.

COLLECTION AND PROCESSING

If a Data Handler under PIPA or an IT Service Provider under IT Network Act intends to collect Personal Data from the data subject or IT service user, it must:

  • first notify the data subject or IT service user of the vital information stipulated under the law; and
  • obtain the data subject's or IT service user's prior consent to such collection other than some exceptional cases stipulated under the law.

If a Data Handler under PIPA intends to collect Sensitive Personal Information, the consent must be separately obtained.

Under the newly amended IT Network Act, which became effective as of 18 August 2012, an IT Service Provider shall not collect a Resident Registration number (equivalent to Social Security number in the United States), unless (i) the IT Service Provider is designated as an identification institution by the KCC; or (ii) there exist special provisions under any other laws or Notification of the KCC.

Under the PIPA, prior to obtaining the prerequisite consent for collecting Personal Data from a data subject, a Data Handler must notify the data subject of (a) the purpose of collection and use of Personal Data, (b) items of Personal Data to be collected and (c) time period for possession and use of Personal Data, (d) the fact that the data subject has the right to refuse to consent and the consequences of refusing.

Under the IT Network Act, prior to obtaining prerequisite consent for collecting Personal Data from IT service user, an IT Service Provider must notify the IT service user of (a) the purpose of collection and use of Personal Data, (b) items of Personal Data to collect and (c) time period for possession and use of Personal Data.

When a certain business transfer occurs, the Data Handler or IT service provider, must provide its data subjects or IT service users a chance to opt out by providing a notice, including items of: (a) the expected occurrence of Personal Data transfers; (b) the contact information of the recipient of the Personal Data, including the name, address, telephone number and other contact details of the recipient; and (c) the means and process by which the data subject or IT service user may refuse to consent to the transfer of Personal Data.

If the data subject or IT service user is under 14, the consent of his/her legal guardian must be obtained.

As a general rule, a Data Handler under PIPA or an IT Service Provider under IT Network Act may not handle Personal Data, without obtaining the prior consent of the data subject or IT service user, beyond the scope necessary for the achievement of the Purpose of Use. This general rule also applies where a Data Handler or IT Service Provider acquires Personal Data as a result of a merger or acquisition.

Exceptions to the general rule above apply in the following cases under PIPA:

  • Where there exist special provisions in any Act or it is inevitable to fulfil an obligation imposed by or under any Act and subordinate statute;
  • Where it is inevitable for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.;
  • Where it is inevitably necessary for entering into and performing a contract with a subject of Personal Data;
  • Where it is deemed obviously necessary for the physical safety and property interests of a subject of Personal Data or a third person when the subject of Personal Data or his/her legal representative cannot give prior consent because he/she is unable to express his/her intention or by reason of his/her unidentified address, etc.; and
  • Where it is necessary for a Data Handler to realise his/her legitimate interests and this obviously takes precedence over the rights of a subject of Personal Data. In such cases, this shall be limited to cases where such data is substantially relevant to a Data Handler's legitimate interests and reasonable scope is not exceeded.

Exceptions to the general the rule above apply in the following cases under IT Network Act:

  • If the Personal Data is necessary in performing the contract on provision of IT services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason;
  • If it is necessary in settling the payment for charges on the IT services rendered; and
  • If a specific provision exists in this Act or any other Act.

Under the ARNFTGS, financial institutions must obtain written consent for the disclosure of an individual's information relating to his/her financial transactions.

TRANSFER

As a general rule, a Data Handler or an IT Service Provider may not provide Personal Data to a third party without obtaining the prior opt in consent of the data subject or IT service user.

Exceptions to the general rule above apply in the following cases under PIPA:

  • Where there exist special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and subordinate statute;
  • Where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.; and
  • Where it is deemed obviously necessary for physical safety and property interests of a subject of Personal Data or a third person when the subject of Personal Data or his/her legal representative cannot give prior consent because he/she is unable to express his/her intention or by reason of his/her unidentified address, etc.

Exceptions to the general rule above apply under IT Network Act if a specific provision exists in this Act or any other act otherwise.

Under PIPA, a Data Handler must obtain consent after it notifies the data subject of (a) the person (entity) to whom the Personal Data is furnished, (b) purpose of use of the Personal Data by the person (entity), (c) types of Personal Data furnished, (d) period of time during which the person (entity) will possess and use the Personal Data and (e) the fact that the data subject has the right to refuse to consent and the consequences of refusing.

Under the IT Network Act, an IT Service Provider must notify the IT service user of (a) the person (entity) to whom the Personal Data is furnished, (b) purpose of use of the Personal Data by the person (entity), (c) types of Personal Data furnished and (d) period of time during which the person (entity) will possess and use the Personal Data, and then obtain consent from the IT service user.

The UPCIA stipulates that prior to obtaining prerequisite consent for providing personal credit information to any other person, a Credit Information Provider/User must notify the credit information subject of (a) the person (entity) to whom the credit information will be furnished;(b) the purpose of use of the Personal Credit Information by the person (entity); (c) the types of Personal Credit Information to be furnished; and (d) the period of time during which the person (entity) will possess and use the Personal Credit Information.

Exceptions to the general rule above apply in the following cases under the UPCIA:

  • Where a Credit Information Company as defined under the Article 2.5 of the UPCIA provides such information for the purpose of performing central management and utilization thereof with another Credit Information Company or Credit Information Collection Agency as defined under the Article 2.6 of the UPCIA;
  • Where such provision is required to perform a contract, and to entrust the processing of credit information under Article 17.2 of the UPCIA;
  • Where the relevant Personal Credit Information is provided as part of rights and obligations that are transferred by way of business transfer, division, merger, etc.;
  • Where Personal Credit Information is provided for a person who uses the information for purposes prescribed by Presidential Decree, including claims collection (applicable only to the credit which is an object of collection), license and authorization, determination of a company's credit worthiness, and transfer of securities;
  • Where Personal Credit Information is provided in accordance with a court order for submission thereof or a warrant issued by a judicial officer;
  • Where such information is provided upon the request of a prosecutor or judicial police officer, in the event of occurrence of an emergency where a victim's life is in danger or he/she is expected to suffer bodily injury, etc., so that no time is available to issue a judicial warrant;
  • Where such information is provided as the head of a competent government office requests, in writing, for the purpose of inquiry and examination in accordance with any laws pertaining to taxes or demands the taxation data required to be provided in accordance with such laws pertaining to taxes;
  • Where Personal Credit Information held by a financial institution is provided to a foreign financial supervisory body in accordance with international conventions, etc.; and
  • Where such information is otherwise provided in accordance with other laws.

Under the ARNFTGS, financial institutions must obtain written consent for the transfer of an individual's information relating to his/her financial transactions to a third party.

SECURITY

Under PIPA and IT Network Act, every Data Handler or IT Service Provider must, when it handles Personal Data of data subject or IT service user, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of Personal Data:

  • establishment and implementation of an internal control plan for handling Personal Data in a safe way;
  • installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to Personal Data;
  • measures for preventing fabrication and alteration of access records;
  • measures for security including encryption technology and other methods for safe storage and transmission of Personal Data;
  • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; and
  • other protective measures necessary for securing the safety of Personal Data.

BREACH NOTIFICATION

Under PIPA, if a breach of Personal Data occurs the Data Handler must notify the data subjects without delay of the details and circumstances, and the remedial steps planned. If the number of affected data subjects exceeds 10,000, the Data Handler shall immediately report the notification to data subjects and the result of measures taken to MOPAS, KISA or the National Information Security Agency (the "NIA").

Under the IT Network Act, an IT Service Provider must, if it discovers an occurrence of intrusion:

  • immediately report it to the KCC or the Korea Internet & Security Agency (the "KISA"); and
  • analyse causes of intrusion and prevent damage from being spread, whenever an intrusion occurs.

The KCC may, if deemed necessary for analyzing causes of an intrusion, order an IT Service Provider to preserve relevant data, such as access records of the relevant information and communications network.

Under the newly amended IT Network Act, which became effective as of 18 August 2012, if a loss, theft or leakage of Personal Data occurs, the IT Service Provider must notify the IT Service user and report to the KCC without delay of the details and circumstances, and the remedial steps planned.

ENFORCEMENT

The competent authorities may request reports on the handling of Personal Data, and also may issue recommendations or orders if a Data Handler or IT Service Provider violates PIPA or the IT Network Act. Non compliance with a request or violation of an order can result in fines, imprisonment, or both.

For example, MOPAS, the supervising authority for Data Handler, can issue a corrective order in response to any breach of an obligation not to provide Personal Data to a third party. Breach of a corrective order leads to an administrative fine of not more than KRW 30 million. Prior to issuing a corrective order, MOPAS may take an incremental approach and instruct, advise and make recommendations to the Data Handler.

Under the IT Network Act, an IT Service Provider who collected Personal Data without consent of the relevant user shall be subject to the penalty of imprisonment for not more than 5 years or a fine not exceeding KRW 50 million.

Under the UPCIA, a Credit Information Provider/User who has provided Personal Credit Information without consent of the relevant credit information subject shall be subject to the penalty of imprisonment of up to 5 years or a fine not exceeding KRW 50 million.

Under the ARNFTGS, a person who discloses information or data concerning financial transactions shall be punished by imprisonment not exceeding 5 years or by a fine not exceeding KRW 30 million.

ELECTRONIC MARKETING

The transmission of an advertisement via an information and communication network, including electronic mails is not prohibited by the IT Network Act, but provides individuals with the right to prevent the processing of their personal data (e.g. a right to "opt out") for electronic marketing purposes. An IT Service Provider who intends to transmit an advertisement by information and communication network must specify the following information in the advertisement.

  • The type and main contents of the transmitted information;
  • The name and contact information of the sender;
  • The source from which the electronic mail address was collected (applicable only when transmitted by electronic mail); and
  • Matters concerning the measures and method by which the addressee can express his intention to decline reception of the information easily.

A person who intends to transmit an advertisement by telephone (includes SMS text messages) or facsimile shall obtain a prior consent (e.g. a right to "opt in") from the addressee, unless (a) the person who has collected an addressee's contact information directly through a transaction of goods, etc. intends to transmit to the addressee any advertising information for profit concerning the goods, etc. offered by that person or (b) the relevant advertising information falls under the definition of an advertisement under the Act on the Consumer Protection in the Electronic Commerce Transactions, etc. or a soliciting telephone call under the Door-to-Door Sales, etc. Act. A person who intends to transmit an advertisement by telephone or facsimile must specify the following information.

  • The name and contact information of the sender; and
  • Matters concerning the measures and method by which the recipient can express his intention to revoke his consent to receive the information easily.

A person who transmits an advertisement shall not take any of the following technical measures.

  • A measure to avoid or impede the addressee's denial of reception of the advertising information or the revocation of his consent to receive such information;
  • A measure to generate an addressee's contact information, such as telephone number and electronic mail address, automatically by combining figures, codes, or letters;
  • A measure to register electronic mail addresses automatically with intent to transmit advertising information for profit; and
  • Various measures to hide the identity of the sender of advertising information or the source of transmission of an advertisement.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Cookie, log, IP information, etc. are also regulated by the IT Network Act as personal data, which if combined with other information enable the identification a specific individual person easily. Under the IT Network Act, using cookies (or web beacons) must be done with the opt-out consent of the user and the privacy policy must publicise the matters concerning installation, operation and opt-out process for automated means of collecting personal information, such as cookies, logs and web beacons.

The protection of location information is governed by the provisions of the Act on the Protection, Use, etc. of Location Information (the "LBS Act").

Under the LBS Act, any person who intends to collect, use, or provide location information of a person or mobile object shall obtain the prior consent of the person or the owner of the object, unless (a) where there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency; (b) where there is a request by a police for the rescue of the person whose life or physical safety is in immediate danger; or (c) where there exist special provisions in any Act.

Under the LBS Act, any person (entity) who intends to provide services based on location information (the "Location-based Service Provider") shall report to the KCC. Further, any person (entity) who intends to collect location information and provide the collected location information to location-based service providers (the "Location Information Provider") shall obtain a license from the KCC.

If a Location Information Provider intends to collect personal location information, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information.

  • Name, address, phone number and other contact information of the Location Information Provider;
  • Rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
  • Details of the services the Location Information Provider intends to provide to Locationbased Service Providers;
  • Grounds for and period of retaining data confirming the collection of location information; and
  • Methods of collecting location information.

If a Location-based Service Provider intends to provide location-based service by utilising personal location information provided from Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information;

  • Name, address, phone number and other contact information of the Location-based Service Provider;
  • Rights held by the subjects of personal location information and their legal agents and methods of exercising the rights;
  • Details of the Location-based Services;
  • Grounds for and period of retaining data confirming the use and provision of location information; and
  • Matters concerning notifying the personal location information subject of the provision of location information to a third party as below.

If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it must notify the subjects of personal location information of the third party who will receive the location information and the purpose of this provision.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com