Overview of South Korea’s Personal Information Protection Act (PIPA)

1. Introduction

South Korea has elaborate laws and regulations related to personal data protection. The Personal Information Protection Act ("PIPA") was first enacted on September 30, 2011. The Act sets strict rules that govern the collection, usage, disclosure, and other processing of personal information by government bodies, private entities, and individuals. The recent amendments to the Act and the amended Enforcement Decree came into force on September 15, 2023.

Under the PIPA, South Korea has laid out specific requirements for handling personal information and taking the data subject's consent as an integral part of almost every step.

2. Who Needs to Comply with PIPA

A. Personal Scope

The PIPA applies to any personal information controller. A personal information controller could be an individual, a public agency, a juridical person, or an organization that handles the data subject's personal information either themselves or through a third party. If PIPA applies to an entity, it must comply with the law.

The PIPA applies to the processing of personal information. ‘Processing’ under the law is defined as the 'collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal information or any other action similar to any of the preceding.'

B. Territorial Scope

The PIPA does not explicitly define its territorial or extraterritorial scope. Nonetheless, it considers several factors when determining whether a foreign entity is subject to the PIPA (for instance, whether the entity provides services targeted at Koreans or whether the company generates revenue from doing business in South Korea).

3. Definitions of Key Terms

A. Personal Information

The PIPA has an extensive meaning of ‘personal information.’ For easier understanding purposes, personal information under PIPA refers to a natural living person with a:

• Name
• Resident registration number (RRN)
• Image.

B. Sensitive Data

Under the PIPA, sensitive data is regarded as the personal information of an individual's:

• Ideology
• Faith
• Trade union
• Political party membership
• Political views
• Health
• Sexual orientation
• Genetic information
• Criminal records
• Physical information
• Physiological information
• Behavioral characteristics
• Any other personal information that may cause a material threat to the privacy of the data subject

C. Biometric Data

While the PIPA does not explicitly define biometric data, it takes an individual's physical, physiological, and behavioral characteristics from ‘sensitive data’ as a means to identify the person.

D. Personal Information Controller

The PIPA takes inspiration from the EU’s GDPR regarding the concept of a personal information controller. It includes natural and legal entities that process personal information.

E. Personal Information Handler

Under the PIPA, the concept of personal information controller is defined extensively. Therefore, data processing entities must regularly provide personal information handlers with necessary educational programs to ensure the appropriate handling of personal information.

To ensure the safe administration of personal information, personal information controllers must perform proper control and supervision against those who process personal information under their command and supervision, such as officers or employees, temporary agency workers, and part-time workers.

4. Obligations for Organizations Under PIPA

A. Consent Requirements

Under the PIPA, personal information controllers must issue a notice when processing personal information. Generally, explicit consent is required before collecting, using, and providing third parties’ personal information, subject to certain exceptions.

Personal information controllers and Information and Communications Service Providers (ICSPs) are required to specify the following matters when seeking consent from data subjects for the collection and use of their personal information:

• the purpose of the collection and use of personal information;
• the items of personal information to be collected/used;
• the period for retaining and using personal information; and
• the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

Additionally, personal information controllers and ICSPs are required to explicitly state the following matters when seeking consent from data subjects for the provision of personal information to third parties:

• the specific name of the third-party recipient;
• items of personal information to be shared;
• third-party recipients' purposes of use;
• period of retention and use by the third-party recipient; and
• the data subject's right to refuse his/her consent and outline any disadvantages, if any, which may follow from such refusal.

According to the recent amendments, additional flexibility is allowed in data processing activities if the cases involve processing personal information to protect people from physical threats or property loss, emergency rescue operations, or mitigating public health crises such as COVID-19.

Moreover, the Personal Information Protection Commission (PIPC) has clarified certain principles for using personal information without consent. They have stated that as per the PIPA Enforcement Decree:

• Personal information necessary for fulfilling a service contract can be processed without requiring explicit consent from the data subject. However, to ensure transparency and compliance, it must be separated from other information requiring consent.
• If sensitive information or unique identifiers are needed for the service, separate explicit consent must be obtained unless otherwise provided by PIPA.

B. Security Requirements

The PIPA demands that personal information controllers maintain the security of personal information in their possession. They must diligently evade risks of infringement of data subjects' privacy by taking technical, administrative, and physical measures necessary to ensure the security of their personal information.

C. Data Breach Requirements

The PIPA enforces the personal information controller to notify a data subject whose data has been affected by a breach. When a personal information controller becomes aware that the personal information of data subjects has been breached, the personal information controller must promptly notify data subjects of the following:

• Specifics of the disclosed personal information;
• When and how has personal information been made public;
• Any information regarding how data subjects can reduce the risk of harm from disclosure;
• The personal information controller's countermeasures and remediation procedure;
• Setting up a help desk and other contact points for the data subjects to report the damage.

PIPA requires a personal information controller to plan for and implement countermeasures to reduce the risk of harm in the event that personal information is disclosed.

D. Chief Privacy Officer (CPO) Requirement

The PIPA enables all personal information controllers to appoint certified officials as privacy officers. These privacy officers will eventually take control of how personal information is handled.

The CPO's responsibilities under the PIPA are:

• Creating and implementing personal information protection plans,
• Conducting periodic investigations and updating the status and procedures of personal information processing,
• Resolving complaints and repairing damage caused by the processing of personal information,
• Developing internal control measures to avoid personal information loss, misuse, and abuse,
• Designing and implementing personal information protection training sessions,
• Monitoring, managing, and protecting personal information files,
• Developing, updating, and putting into effect a personal information processing policy,
• Managing items relating to the security of personal information, and
• Discarding personal information after the processing goal has been met or the retention time has passed.

The CPO does not have to be a citizen, and if a CPO is not designated, a maximum administrative fine of KRW 10 million may be imposed on the entity engaging in personal information processing.

E. Privacy Policy Requirements

The PIPA outlines a series of personal information processing policies that must be included in a privacy policy, including, but not limited to:

• the purposes of processing,
• retention period,
• information on provision and outsourcing,
• disposal of personal information.

The PIPA instructs personal information controllers to publicly disclose their privacy policies in a way that allows data subjects to thoroughly examine the stated terms of these privacy policies, including any revisions made to them, at any time.

F. Data Protection Impact Assessment

Under the PIPA, only a public institution shall conduct a Data Protection Impact Assessment (DPIA). The DPIA can be undertaken in cases where there is a noticeable risk of an infringement regarding the personal information of data subjects.

The head of the respective public institution will conduct an impact assessment to analyze risk factors (if any) and ways to improve them and submit the findings to the PIPC.

G. Record of Processing Activities

Even though the PIPA does not require organizations to maintain a record of processing activities, it does require personal information controllers to manage and sustain log-in records that document access given by personal information controllers to a data processing system.

The access could be given to officers, employees, workers, or anyone else who processed personal information under the direction and supervision of the personal information controller for at least one year. In addition, PIPA demands that the log-in records contain the reason of access, an ID number, date and time of entry, information to identify the person of access, and the number or types of tasks performed by the personal information controller while on the processing system.

H. Cross-Border Information Transfer Requirements

Personal information controllers are advised not to enter into information transfer agreements with vendors not complying with privacy laws and regulations. The Personal Information Protection Commission has released Regulations on the Overseas Transfer of Personal Information.

The PIPC delineates the operations of the Overseas Transfer Expert Committee, specifying procedures for recognizing the level of personal information protection in the destination country and addressing matters related to the cancellation and modification of such recognition.

This committee evaluates overseas data transfers and has the authority to issue certifications or order the suspension of transfers based on its assessments. Regarding information transfer to a third party overseas, the PIPA requires personal information controllers to obtain data subjects' prior consent.

I. Appointing a Domestic Agent

Oversees personal information processors that handle significant volumes of personal data are required to appoint a domestic agent. This domestic agent must have a physical address or sales office in South Korea and must be designated through a formal written agreement. They are responsible for:
handling complaints related to the processing of personal data,
reporting personal data breaches, and
submitting requested materials to relevant authorities.

Additionally, the personal information processor is required to actively supervise the domestic agent, ensuring they are properly educated and compliant with their duties. In the event that the domestic agent violates any provisions of the law, the personal information processor will be held accountable.

J. Preliminary Adequacy Review System

The Personal Information Protection Commission (PIPC) also initiated the 'Preliminary Adequacy Review System’ on October 13, 2023. This initiative is designed to ensure secure personal information use in emerging technologies, such as artificial intelligence.

The system allows business operators uncertain about compliance with the PIPA to apply for a prior adequacy review by the PIPC. This review process determines a compliance plan. A pilot operation will assess effectiveness, with full-scale implementation anticipated by January 2024, contingent upon successful outcomes.

1. Exceptions to the General Rule

The following situations are exceptions to the general rule:

• Whenever any Act contains special provisions, or it is required to comply with an obligation imposed by or under any Act or subordinate Act,
• When it is necessary for a public institution to carry out its responsibilities as set out in any Act or subordinate statute, and
• Where it is evident that it is necessary for a data subject's physical safety and property interests or the data subject is unable to give consent for whatever reason.

2. Consent for Information Transfer

A personal information controller must acquire consent after notifying the data subject of:

• The individual or entity to whom personal information is transferred,
• The intended use of the personal information by the person or the entity,
• Categories of personal information transferred,
• The timeframe for which the person or the entity will possess the personal information, and
• The data subject has the right to refuse consent.

3. Notification after Transfer of Information

In an event where personal information is transferred to a third party, PIPA makes it imperative that data subjects be notified of the following:

• The third-party source (transferor) from which the personal information was acquired,
• The intended purpose and use of obtaining the personal information, and
• The data subject has the right to suspend the use of their personal information.

According to the recent amendments, the transfer of personal information to third-party destinations abroad has been broadened to allow it to countries with the same level of data protection as South Korea, or to certain certified companies. While the personal information controller is not subject to any additional obligations beyond the general standards for third-party transfer outlined above, there is a special provision for cross-border transfer of users' personal information. Users are defined as all individuals who use the telecommunications services provided by Online Service Providers.

If a user's personal information is transferred to an entity located outside of the country, Online Service Providers must inform the user and acquire their consent for the following:

• The exact information to be sent to a foreign country;
• The destination country;
• The date, time, and method of transmission;
• The name of the third party and the contact details for the third party's person in control of personal information; and
• The aim of the third party's use of the personal information and the retention and usage period.

Additionally, the recent amendment introduces the possibility of ordering the suspension of cross-border data transfers in case of violation of the law. The maximum penalty amount is to be calculated based on the total revenue generated, minus the amount of revenue incurred from activities unrelated to the violation.

5. Data Subject Rights

The PIPA grants data subjects the following rights:

A. Right to be Informed

Under the PIPA, data subjects have the right to be informed of the storage, processing, and sharing of their personal information. Personal information controllers and ICSPs are responsible for informing the data subjects.

B. Right to Access

PIPA enables a data subject to request access to his/her personal information that is processed by the personal information controller and with whom it is shared.

C. Right to Rectification

The PIPA enables data subjects the right to request the rectification of their information by the relevant personal information controller if they have previously accessed their personal information. Data subjects who may have been denied access to their personal information may not exercise their right to request rectification of their personal information.

D. Right to Erasure

Under the PIPA, data subjects who have previously accessed their personal information have the right to request the erasure of their personal information from the relevant personal information controller.

E. Right to Object/Opt-Out

Under the PIPA, personal information controllers who are ICSPs are required to allow data subjects to opt-out of their consent to the processing of their personal information at any given time. In addition, personal information controllers must also respond to a data subject's request if they wish further to suspend the processing of his/her personal information.

F. Consent

The data subjects have the right to choose whether or not to consent to the processing of their personal information, as well as the scope of that consent.

G. Right to Redressal

Data subjects have the right to swift and reasonable remedies for any harm caused by the processing of their personal information. The recent amendments state that a more prompt remedy is to be provided through a privacy-related dispute resolution procedure and that both public institutions and private companies are mandated to participate in dispute resolution proceedings.

H. Right to Data Portability

The Amended PIPA contains provisions relating to the right to data portability that will take effect at a to-be-announced date between 12 and 24 months after its promulgation date, i.e., 14 March 2023. This would grant data subjects the right to request that their personal information be transmitted to either themselves or eligible third parties.

6. Regulatory Authority

The main data protection authorities for PIPA are:

1. PIPC;
2. Korea Communications Commission;
3. Korea Internet & Security Agency (KISA); and
4. Financial Services Commission.

7. Penalties for Non-Compliance

Data regulators such as the PIPC, the KCC, and the FSC have the power to impose numerous administrative penalties such as:

• corrective orders,
• administrative fines, and
• penalty surcharges for violations of respective laws and regulations.

The PIPC has recently issued comprehensive guidelines in accordance with Article 65(2) of the PIPA and Article 58 of the PIPA Enforcement Decree. These guidelines outline specific standards for disciplinary action concerning violations of personal information protection laws and regulations. Effective September 15, 2023, these guidelines empower the PIPC to recommend disciplinary actions in certain cases.

In addition, public prosecutors may also conduct examinations on any violations which may lead to criminal punishment. Simultaneously, under the PIPA, personal information controllers may become civilly liable to any data subjects who may suffer damages due to such violations.

Under the PIPA, the PIPC may impose a penalty not exceeding 100 million won and imprisonment of no more than 10 years. Breach of PIPC provisions can lead to an administrative fine of up to 3% of the data controller’s sales revenue related to the activity violating the PIPA.

8. How an Organization Can Operationalize the PIPA

To comply with PIPA, organizations must:

1. Conduct a thorough data mapping exercise to better understand the types of data an organization uses, its purposes, and well data chambers are protected.
2. Should Identify personal information that they consider as “sensitive.”
3. Stay consistent with the data mapping exercise to ensure it stays current and eliminate the need for ‘additional personal information’ that isn’t necessarily required by the organization or the law.
4. Update the organization’s processes, policies, procedures, and systems to comply with the PIPA requirements.
5. Conduct a data protection impact assessment.
6. Possibly engage a third party to conduct a cybersecurity audit of the organization’s processes, especially if they might pose a risk to consumers’ privacy or security.
7. Adopt Privacy by Design principles when developing new products and services.

9. How Securiti Can Help

The worldwide dynamics of accessing and sharing personal data are rapidly evolving, pushing businesses to become more privacy-conscious in their processes and responsible guardians of their customer's data, all while automating privacy and security operations for quick response.

With an ever-growing database of users and potential users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you comply with South Korea’s PIPA and other privacy and security regulations worldwide.

See how it works. Request a demo today.

Frequently Asked Questions (FAQs)