Korea Update: Data Privacy Update: Proposed Amendment to the Enforcement Decree of the Personal Information Protection Act

The Personal Information Protection Commission (PIPC) has announced the legislative notice of the proposed amendment to the Enforcement Decree of the amended Personal Information Protection Act (the “Proposed Amendment”) set to be effective on September 15, 2023. The Proposed Amendment will undergo a 40-day legislative notice period (from May 19, 2023 to June 28, 2023) and will take effect on September 15, 2023 alongside the amended PIPA.1)

In particular, the Proposed Amendment contains specific provisions regarding:

1) the integration of the rules for all data controllers (including online and offline businesses);

2) requirements for a valid consent under the PIPA to protect the data subjects’ right to consent;

3) specific legal bases for overseas transfer of personal information;

4) the installment and operation of visual data processing devices;

5) specific criteria and procedure for imposing administrative penalties; and

6) dispute resolution mechanisms.

1.Integration of the rules for all data controllers (ordinary data controllers and online service providers)

Following the amended PIPA which integrates the rules applicable to ordinary (or offline) data controllers and the special provisions applicable to online service providers, the Proposed Amendment specifies the unified rules and regulations for all data controllers.

• First, currently, online service providers that satisfy certain thresholds in terms of the revenue generated in the information and communications service sector and user count are required to notify data subjects about their information usage.2) The amended PIPA expands this requirement to all data controllers. Under the Proposed Amendment, all data controllers that, based on the average daily basis of the three-month period immediately preceding the end of the previous year, (i) process sensitive information or personally identifiable information of over 50,000 data subjects, or (ii) process personal information of over 1 million data subjects, are obligated to provide the notification to data subjects (Article 15-3 of the Proposed Amendment).3)

• Under the current law, in the event of data leakage, both ordinary data controllers and online service providers are required to notify the data subjects “without delay”, and report such incident to the PIPC or Korea Internet Security Agency (“KISA”). However, there are differences in the timing of the notification and reporting requirements between ordinary data controllers and online service providers.4) When the Proposed Amendment becomes effective, however, all data controllers must notify the data subjects within 72 hours unless there is a justifiable reason, and report to the PIPC or KISA within 72 hours in cases where (i) the personal information of over 1,000 data subjects is leaked, (ii) sensitive information or personally identifiable information are leaked, or (iii) personal information is leaked due to illegal external access (Article 40 of the Proposed Amendment)5).

• The Proposed Amendment also provides detailed regulations related to the security measures for safeguarding personal information that apply to all data controllers (Article 30 of the Proposed Amendment); and

• The Proposed Amendment removes the “revenue generated from information and communications service sector” criterion from the criteria used for designating a domestic agent for online service providers, thereby enabling the domestic agent criteria to be applicable to ordinary data controllers as well (Article 32-2 of the Proposed Amendment).

2.Requirements for valid consent from the data subjects

Under the amended PIPA, the legal grounds for the collection and use of personal information will become more diversified. In particular, the data controllers will be able to rely more on the “contractual necessity” as the legal basis for the collection and use of personal information. In response, the Proposed Amendment introduces provisions to ensure data subjects’ proper exercise of their right to consent.

While the current Enforcement Decree only specifies the formalities of obtaining consent from data subjects, the Proposed Amendment introduces specific requirements for obtaining valid consent from data subjects. These requirements are as follows:

1) data subjects must be able to freely decide whether to consent based on their own free will;

2) the consent must be specific and clear;

3) plain and easily understandable language must be used in obtaining consent; and

4) the data subjects must be provided with a method to clearly indicate their consent (Article 17 of the Proposed Amendment).

Also, when the data controller intends to rely on the PIPA provision that allows the use or provision of personal data without the consent of the data subjects within the scope that is reasonably related to the purposes of the initial collection, it is necessary to disclose the relevant details in the privacy policy (Article 14-2 of the Proposed Amendment).

To enhance the responsibilities of data controllers and protect the public’s right to know, the amended PIPA introduces the PIPC’s authority to evaluate and recommend improvements to the privacy policy. Accordingly, the Proposed Amendment introduces the criteria and standards for the selection and evaluation of entities subject to the evaluation by the PIPC (Article 31-2 and Article 31-3 of the Proposed Amendment).

3.Establishing specific legal bases for overseas transfer of personal information

The amended PIPA adds new legal bases for the overseas transfer of personal information and authorizes the PIPC to suspend any ongoing or future overseas transfer of personal information. Accordingly, the Proposed Amendment establishes specific criteria for the overseas transfer of personal information and the procedure for the PIPC’s issuance of the suspension order.

Under the Proposed Amendment, the PIPC must consider various factors including those set forth below in a comprehensive manner, and go through the review of the “Overseas Transfer Review Committee” within the PIPC, to issue an order to suspend the overseas transfer of personal information: (i) the types and volume of the personal information being transferred; (ii) the severity of the violation of the law;

(iii) whether the harm suffered by the data subjects is material or irrecoverable; and (iv) whether the suspension of the overseas transfer is clearly beneficial to the data subjects, etc. (Article 29-12 of the Proposed Amendment). The Proposed Amendment also provides a procedure for filing objections against PIPC’s order to suspend the overseas transfer of personal information.

4.Installment and operation of visual data processing devices

With regard to the regulation of visual data processing devices, the amended PIPA regulates fixed devices and movable devices differently. Accordingly, the Proposed Amendment provides specific guidelines for the installment and operation of fixed visual data processing devices and movable visual data processing devices.

Under Article 25(1) of the current PIPA, the installation and operation of fixed visual data processing devices (e.g. CCTV) are restricted to certain specific cases (e.g. prevention or investigation of a crime, for the safety of the premises, etc.). However, the amended PIPA and the Proposed Amendment provide exceptions to these restrictions. To be more specific, fixed visual data processing devices can be operated in public spaces for the purpose of deriving statistical values such as the number of persons entering and exiting a public area, or for deriving demographic data such as gender and age group, provided that the visual data is not recorded (Article 22 of the Proposed Amendment).

Newly introduced provisions in the amended PIPA related to the movable visual data processing devices allow the data controllers to film people and objects related to such people in public places for business purposes, based on certain conditions. The Proposed Amendment provides further details regarding the use of the movable visual data processing devices.

• When using movable visual data processing devices for filming, the data controller must inform the data subjects that they are being filmed by using methods such as lights, sounds, signs, etc. However, considering the nature of filming methods such as aerial filming by drones, where it is difficult to inform the data subjects about the filming, it is possible to provide notification through the website or other means to be determined by the PIPC (Article 27-3 of the Proposed Amendment).

• In principle, the movable visual data processing devices should not be used to film the inside of places used by the general public where there is a significant risk of infringing upon the privacy of others, such as public baths, restrooms, or locker rooms (Article 25-2(2) of the amended PIPA). However, exceptions are made to allow the operation of movable visual data processing devices in such places in cases of crimes, disasters, fires, or similar situations where video recording is necessary for rescue and medical assistance (Article 27-2 of the Proposed Amendment).

5.Specifying the criteria and procedure for imposing administrative penalties

Under the amended PIPA, the upper limit of the administrative penalties has been raised to 3% of the total revenue (Article 64-2(1) of the amended PIPA), and specifies the criteria for calculating the administrative penalties as “the total revenue excluding revenue unrelated to the violation.” Accordingly, the Proposed Amendment defines the scope of “total revenue” and the “revenue unrelated to the violation.”

• The total revenue is defined as the average annual revenue of the three business years immediately preceding the relevant fiscal year when the violation occurred (Article 60-2(1) of the Proposed Amendment).

• The revenue unrelated to the violation is defined as the average annual revenue related to the following: (1) the revenue from the sale of goods or services clearly unrelated to the processing of personal information, or (2) the revenue from the sale of goods or services that the data controller has provided evidence to prove they are not affected by the violation, as determined and recognized by the PIPC (Article 60-2(3) of the Proposed Amendment).

Furthermore, the Proposed Amendment revises Annex 1-5 to allow an extension of the deadline for paying administrative penalties and installment payments. It also provides that administrative penalties may not be imposed in cases where the data controller or other parties have justifiable reasons to believe that their actions are not unlawful, where the nature and degree of the violation are minor, or where no or minor harm has been caused to the affected data subjects, and the criteria specified by the PIPC are met.

6.Elaborating the dispute resolution mechanism

Previously, non-governmental data controllers were free to decide whether or not to participate in dispute resolution. However, under the amended PIPA, it is mandatory for all data controllers to participate in dispute resolution related to personal information, in principle. Exceptions are provided in the Proposed Amendment in cases where: (1) a lawsuit has already been filed before initiating alternative dispute resolution, (2) dispute resolution has already been concluded through a definitive judgment or decision, or (3) a case that has been concluded by a dispute resolution tribunal is resubmitted for resolution. In such cases, data controllers are not obligated to participate in dispute resolution (Article 51-2 of the Proposed Amendment).

Furthermore, with regard to the fact-finding investigation in dispute resolution, the Proposed Amendment states that requests for information and fact-finding should be made only to the extent necessary for the purpose of dispute resolution. The principle of providing the parties with fair and sufficient opportunities to submit evidence and information is also emphasized (Article 51-3 of the Proposed Amendment).

7.Key Takeaways

• All data controllers will need to review their privacy policies and practices to reflect the changes brought by the integration of the rules for online and offline businesses. For example, there will be changes to the thresholds for sending the notice to data subjects regarding the usage of personal information, and the requirements related to data breach incidents.

• Data controllers should be mindful of the new provisions in the Proposed Amendment that aim to ensure consent based on the data subject’s free will. Consent forms and procedures should be carefully reviewed to check whether they sufficiently qualify the conditions of valid consent under the amended PIPA, in particular where the data controller could be seen as being in a dominant position over the data subject (e.g. employment context).

• With the establishment of criteria and procedures for overseas transfers of personal information and guidelines for the installation and operation of stationary and mobile visual data processing devices, the related industries are expected to become vitalized. Data controllers should closely monitor the development of these regulations, which are outlined in the amended PIPA, its Enforcement Decree, and the notices issued by the PIPC

• With the expansion of administrative penalties in terms of their amount and scope, stronger economic sanctions are expected. To ensure compliance with the applicable regulations in the evolving regulatory landscape, we recommend all data controllers proactively conduct compliance checks. Moreover, data controllers should be mindful that the burden of proof to demonstrate the “revenue unrelated to violations” will be on them.

1) The amendments to the Enforcement Decree of the PIPA concerning the data subjects’ right to data portability and right to object to automated decision-making are scheduled to be announced for legislation in the second half of 2023, and will take effect after March 15, 2024.

2) Online service providers who generated sales revenue of KRW 10 billion or more in the information and communications service sector during the previous year (previous business year for a corporation), or who stored and managed personal information of 1 million users or more on average per day during the three-month period immediately preceding the end of the previous year are obliged to notify data subjects of their personal information usage in accordance with Article 39-8(1) of the current PIPA and Article 48-6(1) of the current Enforcement Decree of the PIPA.

3) However, notification may not be required in the following cases: (i) when the data subject expresses refusal to receive notifications, (ii) when the details of the personal information usage and disclosure have already been notified to the data subject according to Article 20(2) of the PIPA,

(iii) when the data subject is an employee of the same data controller or another data controller (limited to cases where processing of personal information, such as contact information, is necessary for performing work duties), and (iv) when there are legal provisions or obligations to store and manage personal information to comply with laws and regulations.

4) Ordinary data controllers must notify the data subjects within 5 business days from the day they became aware of the personal information leakage and report the incident to the PIPC or KISA (Article 34 of the PIPA). On the other hand, online service providers are required to notify the data subjects (users) and report the incident to the PIPC or KISA within 24 hours, unless there are justifiable reasons for delay (Article 39-4 of the PIPA).

5) However, if appropriate actions have been taken to substantially reduce the risk of infringement upon the data subject’s rights, such as retrieving or deleting the relevant personal information, the obligation to report may be exempted.

By Yulchon, Korea, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact korea@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.