A new dawn in privacy is well underway in Asia-Pacific (APAC). With the region’s legislation on privacy projected to surge 25% by Q4 2023 since 2021, several jurisdictions are set to implement data privacy laws to protect sensitive personal data for the first time.
Others with more mature privacy regimes will switch data privacy up a gear to align with GDPR standards. And this has been the focus for South Korea, who, in an act of parliament dated 27th February 2023, revised its core data privacy law, the PIPA (개인정보 보호법 “Personal Information Protection Act”).
The amendments herald a shift in punitive measures while conferring certain rights on data subjects, namely the right to data portability and the right to be excluded from automated decision-making. It further tightens the regulatory screws on the overseas transfer of personal data belonging to data subjects.
Keep on reading to learn about these updates and their implications.
What is the South Korean Personal Information Protection Act (PIPA)?
Don’t let the relatively short history of legislative activity fool you — South Korea’s data privacy law has come in leaps and bounds. South Korea’s policy stance on data privacy is worth noting: The South Korean constitution recognizes data privacy as a fundamental human right.
Likewise, the constitutional court and supreme court have also, in various decisions, ruled that informational self-determination (the right to control one’s personal information) is a separate fundamental human right — notwithstanding its absence in the Constitution.
But just as data privacy found its way into public discourse, South Korea rolled out legislation to govern data privacy nationwide, the PIPA (Personal Information Protection Act). It came into force on Sept. 30, 2011.
To date, it’s widely recognized as one of the world’s most stringent privacy regimes thanks to onerous requirements like ‘opt-in’ consent, prior notification, and the weighty sanctions applicable in violations thereof.
Quite like the GDPR, it took proactive and punitive measures to mandate the protection of the privacy rights of data subjects — whether private organizations or even government entities.
The PIPA of 2011 (“The Personal Information Protection Act”)
As mentioned, PIPA rules the roost regarding handling (‘Handling’ in this context means collecting, organizing, and processing) of data in South Korea.
It applies to data handlers, individuals, organizations, public agencies, or juridical persons — in fact, anyone who handles data subject's personal information either by themselves or through a third party to pursue their business activities.
The PIPA appears to be silent regarding an express territorial (and extra-territorial) scope. But at its core, South Korean law enforcement standards are comparable to that of the EU’s GDPR.
Consequently, companies operating in South Korea must comply. Foreign companies targeting South Korean data subjects (or any data subjects located within the South Korean `jurisdiction) must also maintain compliance.
To date, there’ve been key amendments to the PIPA:
The 2020 PIPA amendement
This amendment was initiated on 4th Feb 2020 and took effect on August 5th, 2020.
It offered special protection for pseudonymous and anonymous data processing while implementing new requirements, restrictions, and penalties.
But beyond integrating parts of the Network Act and the National Credit Information Act (more on that later), a notable feature of this PIPA amendment is the vesting of all data protection matters in the PIPC (The Personal Information Protection Commission).
The PIPC reports directly to the Prime Minister and is the independent supervisory authority responsible for making data privacy investigations and recommendations while administering and enforcing the PIPA nationwide.
The 2023 PIPA amendment
As of 6 January 2021, the PIPC proposed an additional amendment to the PIPA. Among other things, the amendment:
Reinforces the rights of data subjects, introducing the right to data portability. Data subjects can now request a transfer of their sensitive personal information to themselves or an eligible third party. It also includes the right to be excluded from automated decision-making, thereby empowering data subjects to object, reject, or contest decisions from AI-automated decision-making systems that may have processed data subjects' personal information to reach verdicts impacting them.
Joins the global trend of economic sanctions, replacing criminal sanctions with more administrative penalties (fines), save for certain newly-introduced violations like obstruction of investigations.
Piles on the current requirements for transferring sensitive personal information overseas with additional legal bases.
Levels the compliance threshold for Online Service Providers (“OSPs”) and Ordinary Data Controllers (“ODCs”). Before the now-amended PIPA, OSPs were guided by the general provisions that also applied to OPCs and some “special provisions” in the PIPA. Now, both OSPs and ODCs are subject to all provisions of the PIPA.
On 27 February 2023, the amendments were passed into law and entered into force on 15th September 2023.
Most provisions will become effective within six months after the law is promulgated. However, certain provisions, e.g., the right to object to automated decision-making, will become effective after one year.
The right to data portability will be enforced later on a date yet to be decided by the Enforcement Decree of the PIPA.
The Adequacy Decision
The legislative updates designed to bring the PIPA shoulder-to-shoulder with the GDPR standards warranted the EU to reach an adequacy decision (pursuant to Article 45 of the GDPR) dated 17 December 2021.
The adequacy decision means being added to a whitelist of sorts. It implies that South Korea is deemed — by the EU — to have GDPR-grade data protection, thereby allowing for a seamless flow of data to and from the EU.
Other (specific) laws
Alongside the general law, PIPA, South Korea has a fleet of sector-specific laws in place:
Information and Communications Network Act (“The Network Act”):
This legislation governs online service (IT) providers.
On January 9, 2020, substantial amendments were made to the Network Act. These changes resulted in the consolidation or removal of all provisions that once regulated how online service providers protect and process personal information under the Network Act.
This statute is now submerged somewhat into the PIPA, as the 2020 amendments saw personal information processing now fall under the PIPA in a separate section (named “the special section”) exclusively dedicated to regulating online service providers.
In any case, other parts of the PIPA still apply to online service providers.
The Credit Information Use and Protection Act of 2009 ("Credit Information Act")
This law was enacted to regulate credit information used for credit ratings. It applies to credit information companies and debt collection agencies.
The Act on Real Name Financial Transactions and Guarantee of Secrecy
This act protects the confidentiality of financial secrets and regulates how financial institutions process personal information.
GDPR v. South Korea's PIPA: What are the differences?
South Korea’s Personal Information Protection Act (PIPA) and the EU’s General Data Protection Regulation (GDPR) agree on certain requirements.
For one, PIPA's requirements for gaining data subject's consent are at par with the GDPR guidelines; it must be freely given, specific, informed, and unambiguous. It must also be an affirmative act (hence the “opt-in” consent requirement.)
Recent amendments have also leveled up the PIPA to square up to GDPR standards, as data subjects can object, delete, and request their personal information.
Notwithstanding their many points of convergence, they differ in some respects, and we’ve outlined a few of them below:
Data breach procedure:
Where a data breach occurs, the GDPR requires companies to notify the relevant authority before notifying data subjects. South Korea's PIPA upends this order; companies must inform data subjects about the leakage “without delay” before notifying the relevant authority.
Overseas transfer of personal data:
The PIPA requires companies to obtain the data subject's consent to have personal information transferred overseas. In contrast, the GDPR allows international personal data transfer without the data subject's approval once an adequacy decision or appropriate safeguard mechanism exists.
Appointment of Data Protection Officer
South Korea's PIPA requires employers to appoint a CPO (Chief Privacy Officer). The CPO, however, must be in-house — whether from among the authorized employees or an executive or company representative. On the other hand, the EU’s GDPR allows for external or joint DPOs. (Data Protection Officer)
Data subject rights
Concerning the rights of a data subject, the PIPA guarantees the right of access, correction, and deletion. That being said, the GDPR goes further to prescribe the right to transfer personal information to other organizations, the right to limit personal information processing, the right to refuse profiling, as well as the right to be forgotten (permanently deleted from storage).
Fines and penalties
The GDPR imposes higher fines for non-compliance, up to 4% of an organization's annual global revenue or €20 million (whichever is higher), while PIPA imposes fines up to KRW 3 billion (approximately USD 2.2 million) or 3% of the company’s annual revenue, whichever is higher.
The PIPA only requires public institutions to conduct data privacy impact assessments, while the GDPR requires private companies handling a considerable volume of personal data to do the same.
The GDPR applies to the personal information processing of data subjects within the European Union (EU), regardless of where the personal information processing takes place, while PIPA applies to the personal information processing of data subjects based in South Korea, regardless of the nationality or residence of the individuals.
Definition of “Personal Data”
While the GDPR and PIPA define personal data broadly to include any information that can identify an individual, PIPA has a slightly narrower definition. The point being, PIPA does not consider pseudonymized data to be personal information if the data cannot be used to identify an individual.
How to ensure compliance with South Korea’s PIPA
Compliance with privacy standards on par with GDPR shouldn’t be unfamiliar territory for companies controlling South Korean data.
But given the now-amended PIPA, you may want to update your privacy policies and statements to spell out the additional rights of data subjects — particularly regarding rights to data portability and against automated decision-making — and their limitations or obligations, if any.
You also want to review your current data privacy compliance practice; make sure to issue a prior notice (an opt-in notification) to data subjects at data collection points and a dashboard to grant, refuse, or revoke consent.
Preventive measures like data encryption — in line with Section 24 (3) of PIPA — to safeguard data and perform regular data protection impact assessments also come to mind.
Also worth noting are Article 25(6) and Article 29 of PIPA, which prescribes measures to prevent personal data loss, theft, alteration, or damage.
To meet this threshold, companies must create an internal management plan detailing their security measures and clear policies for data retention, which must be shared with the responsible parties and data subjects.
How can Didomi help with compliance in South Korea
From an enforcement angle, the PIPC takes no prisoners. Just ask industry giants, Google’s Alphabet and Meta, attracting fines of ₩69.2 million (nearly 50 million USD) and ₩30.8 million (22+ million USD), respectively, for a failure to inform users about how they handle sensitive personal information.
Most of these changes have come into effect on 15th September 2023, and businesses should make sure to update their compliance strategy accordingly.
The Didomi Consent Management Platform (CMP) is of precautionary value here, so is our Advanced Compliance Monitoring module, used to track compliance in real-time, with alerts on potential data breaches & privacy violations, and the rest of our Privacy Suite's features (Versions and Proofs, Privacy Request Module, etc) that can help you and your team keep all your compliance ducks in a row.
To learn more, get in touch with one of our experts:
Frequently Asked Questions (FAQ)
How is the privacy law in South Korea different from the GDPR?
South Korea's privacy law, known as the Personal Information Protection Act (PIPA), differs from the EU's GDPR in a few key ways:
The PIPA has a broader scope, as it applies to both public and private sector entities, whereas the GDPR only applies to personal information processing for commercial purposes. The PIPA also includes specific biometric and location data provisions, while the GDPR doesn’t.
Does South Korea have a data privacy law?
The legal framework for data privacy in South Korea rests on the Personal Information Protection Act (PIPA), the primary legislation governing the collection, use, and disclosure of personal information in South Korea.
It applies to data handlers; public and private sector entities, and foreign organizations that handle the personal information of Korean citizens.
What is the Credit Information Use and Protection Act in South Korea?
In addition to PIPA, South Korea has implemented several other regulations and guidelines to protect personal information, one of which is the CIPA “Credit Information Use and Protection Act 1995” (as amended in 2016).
It regulates the use and sharing of such information by credit reporting agencies and other related entities. Under this law, credit reporting agencies must seek consent before collecting and using credit information.
Restrictions also abound. For instance, credit reporting agencies are prohibited from disclosing credit information to third parties without the data subject's consent, except in an attempt to meet legal or regulatory requirements. In keeping with its objective to protect sensitive personal data, it also outlaws the use of credit information for discriminatory purposes. E.g., denying someone a job or housing based solely on their credit history.
Does Korea have censorship laws?
South Korea has laws regulating various media and expression forms. There's the National Security Act (as amended in 2020), The Basic Press Act, and Article 21 which spells out limitations on freedom of speech within the country.
These laws are administered through regulatory bodies like the KCC and the KCSC.
The KCC (Korea Communications Commission) oversees and manages the broadcasting and telecommunications sector. On the other hand, the KCSC (Korea Communications Standards Commission) is a committee inside the KCC whose major regulatory remit is the Internet. The KSCS is designed to monitor internet content, especially ethical standards. It's the body with the power to enforce internet standards on online service providers and content hosts.
Does the GDPR apply to Korean data?
The GDPR is an EU law that governs data privacy and protection. While GDPR applies to entities within the EU, it also applies to entities outside the EU processing the personal information of individuals in the EU.
South Korea has its own legal framework to protect personal data, such as the Personal Information Protection Act (PIPA). However South Korea is not part of the EU and not subject to GDPR unless when offering goods or services to individuals in the EU or monitoring their behavior. In such cases, South Korean companies would need to comply with GDPR when processing the personal data of EU individuals.
It's also worth noting that South Korea and the EU have signed a free trade agreement that includes provisions for data protection. The agreement encourages both sides to adopt data protection regulations that are compatible with each other, which could lead to closer alignment between GDPR and South Korea's data protection laws in the future.