On February 27, 2023, the National Assembly passed a bill containing a number of amendments to the Personal Information Protection Act (the Amended PIPA), Korea’s general data protection law.  The Amended PIPA, which represents the second step of the Korean government’s multi-step amendment process for the PIPA following the passage of the first amendment in 2020, is scheduled to go into effect 6 months from its promulgation date (which must take place within the next 15 days). However, certain provisions therein, including those relating to automated decision-making and the right to data portability, are scheduled to go into effect 12 months thereafter. 

The legislative purpose of the Amended PIPA is to facilitate the use of personal information while strengthening the protection of data subjects’ rights and ensuring compatibility and interoperability with the global regulatory regime in the advent of the digital economy.  Accordingly, the Amended PIPA contains some significant changes in terms of substance.

In a series of 3 newsletters, which will be circulated in short succession, we will take a closer look at some of the key provisions of the Amended PIPA as set out below.

Newsletter No. 1: Provisions relating to the processing of personal information in general

–       Unification of data protection rules for offline and online businesses

–       Revamping of provisions relating to administrative penalties and criminal penalties

–       Easing of requirements for the processing of personal information

–       Revamping of provisions relating to the mediation of disputes involving personal information

 

Newsletter No. 2: Provisions relating to the processing of special categories of personal information

–       Revamping of provisions relating to visual information processing devices

–       Introduction of rights relating to automated decision-making

–       New rules for cross-border transfers of personal information

 

Newsletter No. 3: Provisions relating to the right to data portability

In this second newsletter, we review some of the key provisions of the Amended PIPA relating to the processing of special categories of personal information.

  1. Revamping of provisions relating to visual information processing devices

The current PIPA only regulates ‘stationary’ visual information processing devices such as CCTVs.  In contrast, the Amended PIPA will introduce new provisions to regulate ‘mobile’ visual information processing devices (e.g., drones, autonomous vehicles) while revamping existing provisions on the regulation of stationary visual information processing devices as below.

  1. Introduction of new provisions for mobile visual information processing devices

Under the current PIPA, the use of mobile visual information processing devices to film or photograph data subjects in open spaces for business purposes is permitted when doing so pursuant to legal bases such as data subjects’ consent or the data controller’s legitimate interest.  The Amended PIPA will additionally permit the use of mobile visual information processing devices for such filming/photographing in cases where (i) data subjects have refrained from indicating their refusal thereof despite being clearly aware of such filming/photographing taking place as indicated by light, sound, or signboards and (ii) such filming/photographing is conducted only to a reasonable extent and is unlikely to unfairly infringe the rights of data subjects (Art. 25-2).

This new provision is noteworthy because it alleviates the difficulty of the filming/photographing party, under the current PIPA, of having to obtain opt-in consent from a large number of unspecified individuals or identify its legitimate interest when using mobile visual information processing devices to film/photograph their personal information.

However, there is some uncertainty as to whether it will be possible for data subjects, who do not wish to be filmed/photographed by such mobile visual information processing devices, to adequately express their refusal in accordance with this statutory mechanism.  Therefore, to obtain a greater level of clarity, it will be necessary to closely follow how the Personal Information Protection Committee (the PIPC) will interpret and enforce this provision in the future.

  1. Revamping of existing provisions for stationary visual information processing devices

Under the current PIPA, the filming or photographing of data subjects using stationary visual information processing devices is only permitted when such devices are installed in open spaces for certain legally prescribed purposes such as facility safety, fire prevention, and traffic control.  The Amended PIPA will additionally permit the use of stationary visual information processing devices in open spaces for certain other purposes (to be specified by corresponding amendments to the Enforcement Decree of the PIPA) provided that no storage of the filmed/photographed personal information takes place.  However, regarding the aforementioned purposes related to facility safety, fire prevention, and traffic control, the Amended PIPA will additionally require that the stationary visual information processing devices be installed/operated only by “persons who are duly authorized” to conduct activity necessary to achieve such purposes(Art. 25(1)).

  1. Introduction of rights relating to automated decision-making

Under the Amended PIPA, data subjects will have the following rights in relation to automated decision making (Art. 37-2)[1]:

  • The right to request an explanation from the data controller in cases where they have been subjected to automated decision-making.
  • The right not to be subject to automated decision-making in certain cases when automated decision-making is likely to affect/has affected their rights or obligations significantly, except when such decision-making is made on the basis of data subjects’ consent, legal provisions or the need for the execution/performance of a contract between the data subjects and the data controller.

Upon the exercise of the aforementioned rights by a data subject the data controller will be required to, unless there is a justifiable reason not to, take necessary measures such as excluding the data subject from automated decision-making, re-processing his/her personal information with human involvement or providing an explanation thereon.  The data controller is also required to take certain other measures, such as disclosing the criteria and procedures for automated decision-making in a manner easily noticeable by data subjects.

Similar rights relating to automated decision-making have already been introduced in the GDPR and the Credit Information Use and Protection Act of Korea (the Credit Information Act).  However, the rights prescribed by the GDPR and the Credit Information Act differ in certain respects to those prescribed by the Amended PIPA.  Specifically, the GDPR only prescribes the data subject’s right to refuse/object to a decision and the right to express his/her point of view (Art. 22(3)) while the Credit Information Act only prescribes the data subject’s right to request an explanation, the right to submit information, and the right to object to a decision in certain cases (Art. 36-2(1), (2)).

The introduction of the aforementioned rights related to automated decision-making in the Amended PIPA can be seen as a meaningful measure to prevent the infringement of the rights data subjects at a time when data controllers are relying increasingly on automated decision-making due to rapid advances in artificial intelligence technology.

  1. New rules for cross-border transfers of personal information
  1. Expansion of legal bases for cross-border transfers of personal information

Under the Amended PIPA, the legal bases pursuant to which personal information may be transferred cross-border have been expanded to include the following (Art. 28-8);

  1. when the data subject has separately given his or her consent;
  2. when there are special provisions regarding the cross-border transfer of personal information in laws, treaties, or international agreements;
  3. when the (i) outsourcing of the processing of personal information or the storage thereof is necessary for the execution or performance of a contract and (ii) information[2] that must be notified to data subjects when obtaining consent for the cross-border transfer of personal information has been disclosed in the privacy policy or notified individually to data subjects via methods prescribed by the Enforcement Decree of the PIPA (e.g., by email);
  4. if the overseas recipient has obtained data protection certification prescribed by the PIPC and has taken all of the following measures:
    • security measures necessary for the protection of personal information and measures necessary to guarantee the rights of data subjects; and
    • measures necessary to conduct data processing in accordance with data protection certification in the country where personal information is to be transferred; and
  5. when personal information will be transferred cross-border to a country or international organization recognized by the PIPC as having essentially equivalent levels of data protection as those required under the PIPA.
  6. Orders to cease the cross-border transfer of personal information (Art. 28-9)

Under the Amended PIPA, the PIPC will be newly authorized to order[3] data controllers to cease cross-border transfers of personal information in cases where: (i) such cross-border transfers are taking place or expected to take place in a manner that violates the PIPA; or (ii) the recipient, country, or international organization receiving the personal information is not adequately (vis-à-vis what is required under the PIPA) protecting personal information and data subjects are being harmed or likely to be harmed as a result (Art. 28-9).  A failure to comply with the PIPC’s order to cease the cross-border transfer of personal information may result in an administrative penalty of up to 3% of total sales revenue (less any sales revenue unrelated to the activity in violation of the PIPA) (Art. 64-2(vii), (viii)).

These latest amendments reflect and take into account the growing demand for cross-border transfers of personal information by expanding the legal bases for such transfers to take place.  Also, by granting authority to impose orders to cease cross-border transfers, the Amended PIPA will bestow upon the PIPC powers similar to those enjoyed by regulatory authorities under the GDPR (Art. 58(2)(j)).  It should be noted, however, that, unlike the GDPR, the Amended PIPA does not specify standard contractual clauses or binding corporate rules as legal bases for a cross-border transfer.  Accordingly, companies that are transferring personal information overseas from Korea will need to be mindful of these new rules governing cross-border transfers to avoid the risk of a cessation order or other sanctions from the PIPC.

If you have any questions regarding this article, please contact below:

Kwang Bae PARK (kwangbae.park@leeko.com)

Jong soo (Jay) YOON (jay.yoon@leeko.com)

Hwan Kyoung KO (hwankyoung.ko@leeko.com)

Sunghee CHE (sunghee.chae@leeko.com)

Kyung Min SON (kyungmin.son@leeko.com)

For more information, please visit our website: www.leeko.com

[1] Decisions made automatically and without human intervention after processing personal information entirely by automated systems, such as those using artificial intelligence technology (Art.4(vi)).

[2] Under the Amended PIPA, information on the ‘methods and procedures for refusing the transfer of personal information and the effects thereof’ must also be notified to data subjects when obtaining consent for cross-border transfers of personal information.

[3] Data controllers that have been ordered by the PIPC to cease the cross-border transfer of personal information as above will have an opportunity to file an objection within seven (7) days from the receipt of the order.

More from Lee & Ko