On February 27, 2023, the National Assembly passed a bill containing a number of amendments to the Personal Information Protection Act (the Amended PIPA), Korea’s general data protection law.  The Amended PIPA, which represents the second step of the Korean government’s multi-step amendment process for the PIPA following the passage of the first amendment in 2020, is scheduled to go into effect 6 months from its promulgation date (which must take place within the next 15 days). However, certain provisions therein, including those relating to automated decision-making and the right to data portability, are scheduled to go into effect 12 months thereafter.

The legislative purpose of the Amended PIPA is to facilitate the use of personal information while strengthening the protection of data subjects’ rights and ensuring compatibility and interoperability with the global regulatory regime in the advent of the digital economy.  Accordingly, the Amended PIPA contains some significant changes in terms of substance.

In a series of 3 newsletters, we will take a closer look at some of the key provisions of the Amended PIPA as set out below.

In this first newsletter, we review some of the key provisions of the Amended PIPA relating to the processing of personal information in general.  Companies are advised to pay close attention to these provisions as they differ in certain respects to the previously proposed amendments thereto that were proposed by the Korean government back in January 2021 (the Government Proposal).

Unification of data protection rules for offline and online businesses

The current PIPA prescribes one set of data protection rules for ordinary data controllers (a concept similar to that of a “data controller” under GDPR) and a different set of data protection rules for data controllers that are information communications service providers (or ICSPs, a concept which is interpreted quite broadly to include providers of a wide range of services offered over telecommunications or information services networks).  The Amended PIPA eliminates this discrepancy by subjecting ordinary data controllers and ICSPs to the same data protection rules and requirements based on the principle of the “same regulation of the same act.”  Accordingly, Chapter 6 (Articles 39-3 to 39-15) of the current PIPA, which applies only to ICSPs, is deleted in its entirety under the Amended PIPA.  However, certain special rules applicable only to ICSPs (i.e., some of the deleted provisions) have been (i) consolidated with other general provisions overlapping substantially therewith or (ii) expanded in scope for application to all data controllers after being moved elsewhere under the Amended PIPA.

The aforesaid unification of data protection rules are expected to address persistent criticism that the different data protection rules under the current PIPA, applying respectively to ordinary data controllers and ICSPs, create unnecessary confusion in regards to enforcement because the distinction between the two is not always clear.  These latest changes, however, may increase the compliance burden of offline businesses which will become subject to additional data privacy requirements under the Amended PIPA which currently apply only to ICSPs. Thus, offline businesses are advised to closely follow corresponding amendments to the Enforcement Decree of the PIPA to check if and to what extent they may be subject to such additional data privacy requirements.

Revamping of provisions relating to administrative penalties and criminal penalties (Articles 64-2 and 71 ~ 73)

The Amended PIPA also seeks to revamp some of the administrative penalty and penalty provisions as follows.

Under the current PIPA, different provisions prescribe administrative penalties for various violations ranging from (i) unlawful processing of pseudonymized information, (ii) leakage of resident registration numbers, and (iii) violations committed specifically by ICSPs, such as failures to obtain consent.  Under the Amended PIPA, however, all administrative penalties will be prescribed by a single provision – the newly created Article 64-2 – which will apply to both ordinary data controllers and ICSPs alike.

Offline businesses are advised to take note that the collection/use of personal information without consent and the collection/use of personal information of a data subject under 14 without his/her legal representative’s consent will be subject to an administrative penalty under the Amended PIPA instead of an administrative fine under the current PIPA.

Under the current PIPA, the upper limit of the administrative penalty is 3% of the sales revenue related to the activity in violation of the PIPA.  Under the Amended PIPA, however, the upper limit of the administrative penalty will, in principal, be 3% of total sales revenue unless the data controller can successfully argue for the exclusion of any sales revenue unrelated to the activity in violation of the PIPA[1].  However, it should be noted that if a data controller refuses to submit sales calculation data without a justifiable reason or submits any such data that is false, the upper limit of the penalty may be calculated based just on 3% of total sales revenue, with the inclusion of sales revenue that appears unrelated to the activity in violation of the PIPA.

The Amended PIPA will prescribe the same criminal penalties for the same violations irrespective of whether such violations are committed by ordinary data controllers or ICSPs.  However, certain violations which are currently subject to criminal penalties will be subject only to administrative penalties under the Amended PIPA. Specifically, provisions in the current PIPA prescribing criminal penalties for (i) the leakage of personal information due to the data controller’s failure to implement mandatory security measures, (ii) an ICSP’s collection and use of personal information without consent, and (iii) a failure to destroy personal information have been deleted from the Amended PIPA.

Easing of consent requirements for the processing of personal information

The Amended PIPA will ease certain requirements for the processing of personal information without the data subject’s consent as below.

Revamping of provisions relating to the mediation of disputes involving personal information

To promote the mediation of disputes involving personal information by the Personal Information Dispute Mediation Committee (the PIDMC) as a more efficient alternative to litigation for the settlement of such disputes, the Amended PIPA will amend or newly create several provisions such as the following:

Consequently, it is anticipated that data subjects will be able to exercise their rights more robustly than before by taking advantage of these improvements which, in turn, is expected to result in more dispute mediation cases before the PIDMC and a corresponding increase in the burden of data controllers to respond to such cases.

Notably, the Amended PIPA will also contain, among others, the following provisions relating to the processing of personal information:

If you have any questions regarding this article, please contact below:

Kwang Bae PARK ([email protected])

Jong soo (Jay) YOON ([email protected])

Hwan Kyoung KO ([email protected])

Sunghee CHE ([email protected])

Kyung Min SON ([email protected])

For more information, please visit our website: www.leeko.com

[1] Initially, the Government Proposal only stated a maximum administrative penalty amount of 3% of total sales revenue, which was subsequently changed, after the public commentary period, to permit the exclusion of any sales revenue unrelated to the activity in violation of the PIPA.