Asian countries are not exactly known for their comprehensive protection of personal data. South Korea is a convincing exception in this regard. With the Personal Information Protection Act (PIPA), the country has given itself a law comparable to the EU General Data Protection Regulation (GDPR). In some respects, South Korea’s data protection law is even stricter.
Current legal situation in South Korea
The PIPA entered into force in its new version on 5 August 2020. Parts of the national Credit Information Act and Network Act were integrated into the Data Protection Act.
The most important innovation of the PIPA, besides the special protection of pseudonymized data, is the introduction of the PIPC (Personal Information Protection Commission) as an independent supervisory authority. The monitoring of data protection compliance and the preparation of practice recommendations are thus taken away from the Ministry of the Interior and Social Affairs and assigned to an independent authority that reports directly to the prime minister.
This paved the way for an adequacy decision from the EU under Article 45 of the GDPR. Accordingly, on December 17, 2021, the EU Commission certified South Korea as having a level of protection comparable to the GDPR.
Similarities between PIPA and GDPR
The principles of PIPA should sound familiar. These include: Purpose, Lawfulness, Integrity, Confidentiality, Transparency, and the Data Minimization Principle.
Processing is allowed based on consent or a statutory obligation, as in the GDPR. Particularly sensitive data may also be processed if required by law or if the data subjects have given their consent.
Analogous to the GDPR, data subjects have the right to a copy, the right to object, and the right to deletion, provided that there are no retention obligations. Data subjects must be informed about the processing of their data by the controller in the form of a so-called data protection policy.
Differences between PIPA and GDPR
The term “personal data” is understood somewhat more narrowly in South Korea’s PIPA than in the GDPR. Whether a person is identifiable is also measured by the factors of cost and time.
Another legal basis allows data processing when it is clearly necessary for the physical security and property interests of the data subject, but consent cannot be obtained.
The use of pseudonymized data for this purpose is more strictly regulated than in the GDPR and is generally only permitted if the data subject has given consent.
Consent must also be obtained in principle for the use of cookies of any kind.
In contrast to the GDPR, PIPA does not contain a general right to data portability. However, under the amended Credit Information Act, a data subject has the right to data portability with respect to his or her personal credit information.
For commissioned processing, the transferred scope of work and the name of the processor must be disclosed in such a way that data subjects can easily view and verify this information. The controller must also monitor and train the data recipient to prevent a data breach. If the processor violates the law and this results in liability, the processor will be treated as an employee of the controller.
If there is a data breach involving more than 1,000 data subjects, it must be reported immediately to the PIPC.
In addition to these rather minor differences, three glaring differences from the GDPR stand out:
- An internal data protection officer must be appointed regardless of the size or nature of the processing operations.
- The data protection officer will be held accountable and personally subject to criminal investigation after a breach.
- The transfer of personal data abroad requires the consent of the data subjects, which poses significant challenges for many foreign companies.
Peculiarities of PIPA concerning direct marketing
The express consent of the data subjects must be obtained before sending e-mails or other electronic messages for marketing purposes or in the case of direct marketing by telephone. Exception: advertising may be sent without consent by electronic message or direct telephone marketing to addresses derived from a previous sale of goods or services within six months of that sale.
To send advertising by e-mail, the title of the e-mail message must begin with the heading “Gwango” (Korean: Advertisement) and the content of the e-mail message must include the sender’s contact information and instructions on how recipients can easily express their intention to opt out of receiving further advertising.
The Korean Fair Trade Commission has established a do-not-call registry under the Doorstep Selling Act to protect consumers from unauthorized telemarketing practices. A telemarketer must ascertain whether a consumer has entered his or her telephone number in the do-not-call registry and may not call consumers whose numbers are on the registry.
Peculiarities of PIPA concerning data security
Article 24(3) of PIPA explicitly restricts the management of personal data and requires controllers to take the necessary measures, including encryption, to prevent the “loss, theft, leakage of data, alteration or falsification” of such data.
Similarly, Article 25(6) and Article 29 require that the necessary measures be taken to ensure that personal data is not lost, stolen, altered or damaged. Organizations are required to present these security measures in the form of a so-called internal management plan to responsible parties and data subjects.
Sanctions provided for in PIPA
South Korea has an established track record for enforcing data protection laws. Chapter 9 of the PIPA regulation provides for harsh sanctions for violations of data protection regulations. Possible consequences include fines of up to 3% of the violator’s total turnover and imprisonment of up to five years.
If the data controller cannot disprove that a data breach resulted from its intentional or grossly negligent conduct, a court may award damages of three times the actual loss after analyzing the totality of the circumstances.
Alternative dispute resolution (mediation for personal data disputes) and class actions are available to facilitate faster resolution of disputes. However, class actions are limited to obtaining injunctive relief against a responsible party who violates the law and cannot be used for compensation purposes.
Conclusion: PIPA makes South Korea highly interesting from a data protection perspective
South Korea has aligned itself with the GDPR on many points. In some areas, it sets even stricter standards for data processing. For example, the consent of data subjects to the transfer of data abroad presents many foreign companies with implementation problems.
South Korea has created a unique standard of data protection in East Asia with the new PIPA, which makes it easier for EU companies to exchange data with South Korea and promotes trade with the economically strong country. The EU Commission’s adequacy decision is therefore more than justified.
