On 9 January 2020, the Korean National Assembly passed amendments (collectively, the ‘Amendments’) to three major data privacy laws: the Personal Information Protection Act (‘PIPA’), the Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘Network Act’) and the Act on the Use and Protection of Credit Information (‘Credit Information Act’).
The Amendments largely aim to:
The Amendments will become effective six months from promulgation by the President, except for certain provisions in the Credit Information Act, which will come into effect one to one and a half years after its promulgation (as further specified in the President Decree relating to it).
Please see below for a summary of key changes introduced by the Amendments. Specifics of the Amendments are yet to be finalised as the Enforcement Decrees and related official notices by governing bodies are not available at the time of writing.
Key Changes: PIPA
Distinguished concepts of personal data, pseudonymised data and anonymised data (excluded anonymised data from the scope of personal data).
Permitted processing of pseudonymised data for statistical, scientific research, or public interest record-keeping purposes.
Permitted combination of pseudonymised data of personal data controllers through specialised agencies.
Credit Information Act
Reasonable use of ‘Personal Data’ without obtaining consent
Under the amended PIPA (Paragraph (3) of Article 15 and Paragraph (4) of Article 17), a personal data controller will be permitted to use and release personal data without obtaining the consent of the data subject in the manner prescribed by Presidential Decree: ‘within a scope that is reasonably related to the original purpose of collection’ and ‘after considering whether the data subject’s rights would be infringed upon and/or measures to secure the integrity of the personal information have been properly taken.’
Although we await the Enforcement Decree to guide us on the interpretation of the phrase ‘within a scope that is reasonably related to the original purpose of collection,’ an official notice issued by the Ministry of the Interior and Safety on 9 January 2020 mentions that matters such as the ‘circumstances under which personal data were collected,’ ‘level of sensitivity of the personal data at stake,’ ‘potential impact which may be imposed upon the data subjects’ and ‘whether proper safeguard measures are in place’ should be considered when determining whether the proposed use satisfies this ‘reasonableness’ test.
The Ministry’s position appears to be similar to that in Recital 50 of the European Union’s GDPR, which provides that:
‘[t]he processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected.’
Recital 50 of the GDPR stipulates that one should take into account, inter alia, ‘the context in which the personal data have been collected,’ ‘the reasonable expectations of data subjects […] as to their further use,’ ‘the nature of the personal data,’ ‘the consequences of the intended further processing for data subjects,’ and ‘the existence of appropriate safeguards in [… the] intended further processing operations’ in order to ascertain whether a purpose of further processing is compatible with the original purpose of collection.
Accordingly, we anticipate that organisations will probably need to establish justifiable grounds for use of personal information without obtaining the data subject’s consent by evaluating the ‘reasonable relevance’ of personal data that they intend to use and maintaining and preserving relevant records.
Facilitation of EU market access by responding to GDPR
Korea is yet to receive the adequacy decision from the European Commission because of its finding of a lack of independence on the part of PDPC, which has been the body with the authority to enforce and oversee personal data protection matters in Korea. Since the Amendments have transferred from other bodies certain authorities to the PDPC as previously mentioned, it is hopeful that Korea will be able to receive an adequacy decision from the European Commission.
Assuming that an adequacy decision will soon be received, we anticipate that Korean companies’ entry into the EU market may be facilitated, as transfer of personal data from EU member states to Korea will become easier. Companies will need to verify in advance whether they are subject to the GDPR and, if so, ensure compliance with the legal requirements set out under the GDPR to reduce legal risk.