The amendment comes more than two years after the Personal Information Protection Commission ('PIPC') proposed the initial draft amendment bill. The amended PIPA will take effect on 15 September 2023.
The amended PIPA aims to give momentum to the growth of Korea's digital economy based on emerging technologies and data, and includes the following key changes:
- strengthening the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making;
- simplifying the application of the PIPA for all data controllers by removing special provisions for online service providers;
- shifting from criminal sanctions towards economic sanctions; and
- providing additional grounds for overseas transfer of personal information (similar to EU GDPR's adequacy decision) in addition to the current stringent consent requirement.
Most provisions in the amended PIPA will take effect six months after the promulgation of the law (15 September 2023). However, certain provisions, including the right to object to automated decision-making, will take effect one year later. The right to data portability will take effect on a date to be determined by the Enforcement Decree of the PIPA, which will be issued between one and two years after the promulgation of the law.
Strengthening the rights of data subjects
The amended PIPA enhances the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making.
Right to data portability
The amended PIPA grants data subjects the right to request that their personal information be transmitted to themselves or to a third party who satisfies the security standards to be specified in the Enforcement Decree.
Upon receiving a transmission request, a data controller must ensure that the requested information is transmitted within a reasonable timeframe, at a reasonable cost, and via reasonable means. The data controller may either reject or suspend a transmission request if the identity of the requesting data subject is not confirmed, or if other conditions specified in the Enforcement Decree are met.
The scope of personal information that can be transmitted, the process of requesting transmission, the deadline and method of transmission, the method of revoking a transmission request, the method of rejecting or suspending a transmission request, and other related aspects will be prescribed in the Enforcement Decree.
Right to object to automated decision-making
The amended PIPA also provides data subjects with the right to reject, object, or request explanations regarding decisions made by fully automated systems, including artificial intelligence systems, that process personal information and substantially impact the rights or obligations of the data subjects. If a data subject exercises this right, the data controller must cease applying the automated system or take necessary measures (e.g. manual re-processing of personal information or providing explanations) unless there are justifiable reasons for not doing so.
Integrating the rules applicable to ordinary data controllers and the special provisions applicable to online service providers
Prior to the amendment to the PIPA, online service providers ('OSPs') were subject to special provisions in addition to the general provisions applying to ordinary data controllers. However, with the amended PIPA, all provisions of the PIPA now apply equally to both general data controllers and OSPs.
The following special provisions, which previously only applied to OSPs, will be applicable to all data controllers:
- Data controllers meeting the standards prescribed by the Enforcement Decree will be required to notify data subjects regularly about the use and third-party provision history of their personal information, or provide access to a system that shows this.
- Data controllers meeting the revenue and personal information possession standards prescribed by the Enforcement Decree will need to take necessary measures such as purchasing insurance, joining mutual aid associations, or accumulating reserves to cover their liability to compensate for damages caused by violation of the PIPA.
- Data controllers with no address or business office in Korea meeting the criteria prescribed by the Enforcement Decree will be required to designate a local representative to act on their behalf.
- Data controllers must promptly notify data subjects of any data breach, unless the data controller does not possess the contact information of the data subject (in which case alternative measures prescribed under the Enforcement Decree should be taken). Additionally, data controllers are required to report to the authorities without delay if the scale of the loss, theft, or leak exceeds a certain threshold as stipulated in the Enforcement Decree.
On the other hand, the special provision requiring OSPs to delete or separately store the personal information of data subjects who have not used the service for one year has been deleted. In sum, these changes represent a shift towards increased consistency and clarity in the application of data protection requirements under the PIPA.
A shift from criminal sanctions to economic sanctions
Change in the scope of criminal penalties
The amended PIPA aims to substitute criminal sanctions with administrative penalties for certain violations of PIPA. Further, the amended PIPA removes the criminal penalty for data breaches caused by a failure to take data protection measures.
However, despite the general trend toward economic sanctions, the amended PIPA adds new types of violations that may be subject to criminal sanctions. These violations include obstruction of investigation by the authority by concealing, destroying, forging, or falsifying documents, or refusing access to premises.
Change in the scope of administrative penalties
Moreover, the amended PIPA aims to broaden the grounds for imposing administrative penalties. Before the amendment, ordinary data controllers (non-OSPs) were subject to administrative penalties only for violations such as the loss or leakage of Resident Registration Numbers or processing pseudonymised data to identify an individual, whereas the OSPs were subject to administrative penalties for a wider range of violations. Under the amended PIPA, all data controllers can face administrative penalties for a wider range of violations.
Change in the administrative penalty amount
Under the current PIPA, the administrative penalty applicable to OSPs is up to 3% of the 'revenue related to the violation'. Under the amended PIPA, the base amount for the administrative penalty has been adjusted to the 'total revenue'. To ensure that the penalty amount remains proportional to the severity of the violation, 'revenue unrelated to the violation' may be excluded from the calculation. However, if the data controller fails to submit the requested materials or provides false materials for calculating the base amount, total revenue will be used as the base amount. In effect, the burden of proving the relevant revenue now lies with the data controller.
Establishing additional legal bases for overseas transfer of personal information and the PIPC's right to order a suspension of overseas transfer
Under the current PIPA, data controllers must obtain consent from data subjects before transferring personal information overseas. However, the amended PIPA has added new legal bases for the overseas transfer of personal information. These include situations where a special provision, treaty, or international agreement specifically allows the overseas transfer of personal information, where the recipient located overseas has obtained certification determined and announced by the PIPC, or where the transfer of personal information to a country or international organisation with an adequate level of protection determined by the PIPC.
Furthermore, the amended PIPA authorises the PIPC to suspend any ongoing or future overseas transfer of personal information. The PIPC can issue a suspension order if an overseas transfer violates the PIPA (e.g. when an overseas transfer took place without legal grounds, or when the transferring data controller enters into a written contract concerning overseas transfer in violation of the PIPA), or when a data subject has experienced or is highly likely to experience harm due to the recipient failing to provide an adequate level of protection.
- All data controllers will need to update their privacy statements and policies to reflect the additional rights of the data subjects introduced by the amended PIPA, such as the right to data portability and rights related to automated decision-making, to the extent applicable.
- All data controllers will need to update their privacy statements and policies to reflect changes in their privacy obligations. In particular, ordinary data controllers (including offline businesses and data controllers in employer-employee contexts) will need to consider additional obligations under the amended PIPA.
- Given the increased risk of administrative penalties, we recommend that all data controllers review and strengthen their compliance practices to ensure that they are in full compliance with the amended PIPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.