Lee & Ko | View firm profile
On January 9, 2020, amendments to Korea’s 3 major data privacy laws (“Three Data Laws”), i.e., Personal Information Protection Act (“PIPA”), Act on the Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”), and Credit Information Use and Protection Act (“Credit Information Act”), were passed at a plenary session of the National Assembly of Korea.
We live in an era of data-driven economy where the use of new technologies such as artificial intelligence (AI), cloud services, and Internet of Things (IOT) has become a necessity in order to process increasingly larger amounts of data and develop new businesses in the IT sector. In line with the legislative trends in other major parts of the world, there has long been a push in Korea towards amending the Three Data Laws to ensure the secure use of personal information while still paving the way for the more efficient processing of big data. The revisions to the Three Data Laws are the culmination of such efforts.
The amendments to the PIPA that have been adopted include, among others: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA.
Given the importance of the newly amended PIPA and its potential implications on datareliant industries regulated by the PIPA, we have summarized below the key changes to the law.
1. Key Provisions of the Amended PIPA
(1) Clarification of the definition of “personal information” (Article 2(1))
As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.” The specific criteria set forth in the amended PIPA is that one must give “reasonable consideration to factors such as time, cost, and technology required for identifying an individual, including the likelihood of obtaining additional information to be combined with the subject information.” The above criteria is intended to prevent the definition of personal information from being interpreted too broadly under the PIPA.
(2) Introduction of “pseudonymized information” (Article 2(1)(c), 2(1-2), 2(1-8) and Chapter 3)
The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.” Here, “pseudonymization” means the process of fully or partially deleting or replacing personal information or employing other similar methods such that the personal information can no longer be attributed to a specific individual without additional information.
The initial draft amendment of the PIPA that was proposed to the National Assembly by Representative Jae-Geun IN (“Initial PIPA Bill”) provided that the specific methods of pseudonymization would be set forth in the relevant Presidential Decree. However, the final version of the amendment which passed the National Assembly stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.
Under the amended PIPA, data handlers may process pseudonymized information without the consent of the data subject for purposes including statistical compiling, scientific research, and record preservation for the public interest. Moreover, the PIPA’s provisions regarding the destruction of personal information and the data subject’s right to request access, or the correction/deletion of personal information, do not apply to pseudonymized information. As stated in the reasons for the proposed amendment to the PIPA, “scientific research” purposes include “commercial purposes such as the development of data-based, innovative technology, products, and services.” The wider scope of purposes for which personal information may, after being pseudonymized, be used and provided to third parties under the amended PIPA is in line with the demands of the current data economy.
Meanwhile, the amended PIPA regulates the combining of pseudonymized information managed by different data handlers by stipulating that only professional institutions designated by the PIPC or by the head of a pertinent central administrative agency may combine such pseudonymized information. Also, the combined information may only be exported outside of the professional institution after obtaining the approval of the head of the said institution.
Furthermore, the amended PIPA requires that anyone who processes pseudonymized information must implement the statutorily-prescribed security measures. Processing pseudonymized information for the purpose of identifying a specific individual is also prohibited under the amended PIPA. Anyone who violates this prohibition may be subject to a penalty surcharge of 3% or less of their total revenue, and imprisonment of up to 5 years or a fine of up to KRW 50 million.
(3) Use of personal information within the scope reasonably related to the original purpose of the collection (Article 15(3), Article 17(4))
The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject in accordance with the Presidential Decree to be promulgated, after considering, for example, whether such use or provision may result in any disadvantage to the data subject and/or whether the data handler has implemented the necessary safeguards to ensure the security of the personal information, e.g., encryption. By doing so, the amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection. The specific details regarding the method of using and providing personal information for the purposes as described above will be set forth in the Presidential Decree, so it is important to continue monitoring any amendments to be made to the Presidential Decree.
(4) Exclusion of anonymized information from the application of the PIPA (Article 58(2))
The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.
Under the current PIPA, Anonymized Information is already considered as nonpersonal information which is not subject to the PIPA. However, to avoid any dispute over potential gray areas, the amended PIPA explicitly states that Anonymized Information is excluded from the application of the PIPA.
(5) Transfer of the Network Act’s personal information-related provisions to the PIPA (Chapter 6)
The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information Provided by Information and Communications Service Providers (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA. Examples of such provisions include those on the collection and use of personal information, notification and report of personal information leakages, destruction of personal information of inactive users, notification of personal information usage details/records, damage compensation guarantees, designation of a domestic representative, protection of personal information transferred abroad, and penalty surcharges.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party
Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing.
Under the current PIPA, the data subject’s consent is not required for Outsourcing. However, because the Network Act included such a consent requirement, ICSPs were required to obtain separate consent to not just the collection/use of personal information and provision of personal information to a third party, but also Outsourcing. Due to this additional consent requirement, Article 25 of the Network act was often mentioned as one of the main reasons that IT service providers were prevented from more actively utilizing cloud services, which is generally how most IT service providers process data of their customers.
For your information, the Initial PIPA Bill included Article 25 of the Network Act as one of the Special Provisions to be transferred to the PIPA. Yet, the idea of transferring Article 25 to the PIPA was discarded during the bill review process after several legal and industry experts pointed out the problems with doing so, and data handlers/ICSPs also criticized the possible implications.
(7) Streamlining of Korea’s data protection regulatory authorities (Article 7, 7-14)
The PIPC will be elevated to a central administrative agency reporting to the Prime Minister, and also become the supervisory authority for data breaches (including the misuse/abuse of personal information and leakages). Personal information protection matters that are currently handled by multiple agencies (i.e., Ministry of Public Administration and Security, Korea Communications Commission) will all be handled by the PIPC instead. In order to ensure the independence of the PIPC, Article 18 of the Government Organization Act — which stipulates the Prime
Minister’s authority to direct and supervise the heads of central administrative agencies under orders from the President, and revoke or suspend any administrative orders issued by the head of a central administrative agency if they are deemed unlawful or unjust — will not apply to certain tasks performed by the PIPC.
2. Amended Network Act: deletion of personal information-related provisions
As explained above, in order to achieve harmonization among the Three Data Laws, the personal information-related provisions of the Network Act have been transferred to the PIPA, and thus the said provisions (i.e., Chapter 4 (Protection of Personal Information)) have been deleted from the Network Act.
3. Amendments to the Credit Information Act and Act on the Protection and Use of Location Information
The amendment to the Credit Information Act was also passed by the National Assembly’s plenary session on January 9, 2020, the same date that the amendments to the PIPA and Network Act were passed. Among the changes that were adopted, certain provisions of the Credit Information Act that overlapped with the PIPA were revamped so that the relevant provisions of the PIPA would apply instead, and some provisions were revised to clarify the Credit Information Act’s relationship with the PIPA. As such, in order to determine whether the amended PIPA (and not the Credit Information Act) will apply to the processing of an individual’s personal credit information, concerned businesses and companies should review the PIPA’s new changes in detail. For your information, the amended Credit Information Act stipulates that the PIPC has the authority to supervise personal credit information that is processed by a business operator and not a financial institution, while the Financial Services Commission has supervisory authority over personal credit information processed by financial institutions.
The draft amendment for the Act on the Protection and Use of Location Information (“Location Information Act”) — which was also proposed to the National Assembly on November 15, 2018 along with the draft amendments of the PIPA and Network Act — includes a provision that would transfer the KCC’s authority to enforce/oversee matters relating to the protection of personal location information (which qualifies as personal information) to the PIPC, and have the KCC and PIPC be jointly responsible for enforcing the Location Information Act. The National Assembly’s review of the Location Information Act’s amendment bill has been postponed due to the need to further discuss and clarify the respective scope of tasks to be performed by each of the two authorities. As such, it would be helpful to keep an eye on whether the bill is eventually passed.
The new PIPA is meaningful in that it provides clearer guidance to data handlers on what constitutes the lawful processing of personal information, and also sets forth the standards for the secure processing of personal information. Yet, since the amended PIPA also imposes additional obligations on data handlers and provides for heavier sanctions (e.g., introduction of a penalty surcharge) in the case of a violation, the recent changes should not be taken lightly.
The amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations and related public notices are also expected to take place in the upcoming months. Therefore, we recommend that anyone who is likely to be affected by the new PIPA review the changes carefully, and continue to monitor any related legislative developments.
If you have any questions regarding this article, please contact below:
Kwang Bae PARK ([email protected])
Jongsoo (Jay) YOON ([email protected])
Yu Jin KIM ([email protected])
Ju Bong JANG ([email protected])
Hyunjun KIM ([email protected])
Hwan Kyoung KO ([email protected])
Sunghee CHAE ([email protected])
Tae Joo KIM ([email protected])
Minchae KANG ([email protected])
Kyung Min SON ([email protected])
For more information, please visit our website: www.leeko.com