On May 18, 2023, South Korea’s privacy regulator, the Personal Information Protection Commission (PIPC), released for public consultation a draft decree under the Personal Information Protection Act (PIPA). The key changes proposed in the draft decree are as follows.
The draft decree seeks to enhance the right under the PIPA of citizens who are data subjects, to determine how their personal data may be processed. This is done by specifying that, where consent is the appropriate basis for processing personal data, such consent must be freely given by each data subject after it has been made explicitly clear to them that they can choose whether or not to consent. This includes ensuring that any personal data processing policy is implemented and disclosed in an easy-to-understand manner.
Where personal data is collected from a third party other than the data subject, the draft decree streamlines the requirement for notification that must be given, to the third-party source, of the details of use of the data subject’s personal data.
Online Versus Offline Processing
The draft decree seeks to adopt a “technology-neutral” approach in the PIPA, such that the same standards will be applied to both online and offline personal data. Such unification of currently fragmented regulations, and the rearrangement of operational standards, would align more closely with today’s digital society.
In an environment where mobile image information processing devices such as drones and self-driving cars are common, the draft decree proposes that devices, including CCTV and mobile phone cameras, can be installed and used where the video recordings are necessary to protect human lives or for emergency purposes.
Severity of a Violation
The draft decree also sets out the following criteria for ascertaining the severity of a PIPA violation:
- The nature and degree of the violation
- The type of personal data affected, and the impact that its compromise has on the relevant data subject
- The extent of damage to the relevant data subject
Data Breach Notifications
Data breaches involving sensitive information or unique identification information of more than 1,000 people, which arise from hacking, must be reported to the PIPC within 72 hours of their discovery, unless there is a justifiable reason not to report. An affected data subject must also be notified of such a breach within 72 hours of its discovery, unless there is a justifiable reason, and this is regardless of the scale of the breach.
Cross-border Data Transfers
With regards to overseas transfers of personal data, while the amended PIPA has expanded the requirements and mechanisms for such transfers from South Korea, the draft decree will entitle the PIPC to issue stop orders to effectively prevent an infringing overseas transfer from taking place or continuing.
The draft decree seeks to strengthen the data protection standards adopted by the public sector, by imposing an obligation for public institutions operating large-scale public systems to conduct personal data file registrations and personal data impact assessments. It proposes that public sector bodies implement safety measures that include having an internal management plan, access controls, record-keeping protocols and incident notification to affected data subjects of any unauthorized access, and setting up a dedicated department, appointing a manager and establishing a public system council that is dedicated to data protection.
The draft decree also seeks to integrate the currently dispersed regulations applicable to the protection of children’s personal data.
Comments and feedback on the draft decree can be submitted through the National Participation Legislation Center, or by email or post to the PIPC, no later than by June 28, 2023.
The amendments proposed under the draft decree are significant and will impact any business that processes personal data in Korea. As the runway for compliance is tight, it is important to work with external counsel to ensure that policies and practices adhere to the new or revised requirements so as to get into compliance ahead of the updated law coming into force. Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.
 Amendments to the PIPA were passed by the National Assembly on February 27, 2023, and will generally take effect on September 15, 2023. Certain provisions, such as the right to object to automated decision-making, will only take effect on September 15, 2024, and data portability at a later date to be announced.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.