The amendment comes more than two years after the Personal Information Protection Commission (‘PIPC’) proposed the initial draft amendment bill. The amended PIPA will take effect on 15 September 2023.
The amended PIPA aims to give momentum to the growth of Korea’s digital economy based on emerging technologies and data, and includes the following key changes:
Most provisions in the amended PIPA will take effect six months after the promulgation of the law (15 September 2023). However, certain provisions, including the right to object to automated decision-making, will take effect one year later. The right to data portability will take effect on a date to be determined by the Enforcement Decree of the PIPA, which will be issued between one and two years after the promulgation of the law.
The amended PIPA enhances the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making.
Right to data portability
The amended PIPA grants data subjects the right to request that their personal information be transmitted to themselves or to a third party who satisfies the security standards to be specified in the Enforcement Decree.
Upon receiving a transmission request, a data controller must ensure that the requested information is transmitted within a reasonable timeframe, at a reasonable cost, and via reasonable means. The data controller may either reject or suspend a transmission request if the identity of the requesting data subject is not confirmed, or if other conditions specified in the Enforcement Decree are met.
The scope of personal information that can be transmitted, the process of requesting transmission, the deadline and method of transmission, the method of revoking a transmission request, the method of rejecting or suspending a transmission request, and other related aspects will be prescribed in the Enforcement Decree.
Right to object to automated decision-making
The amended PIPA also provides data subjects with the right to reject, object, or request explanations regarding decisions made by fully automated systems, including artificial intelligence systems, that process personal information and substantially impact the rights or obligations of the data subjects. If a data subject exercises this right, the data controller must cease applying the automated system or take necessary measures (e.g. manual re-processing of personal information or providing explanations) unless there are justifiable reasons for not doing so.
Prior to the amendment to the PIPA, online service providers (‘OSPs’) were subject to special provisions in addition to the general provisions applying to ordinary data controllers. However, with the amended PIPA, all provisions of the PIPA now apply equally to both general data controllers and OSPs.
The following special provisions, which previously only applied to OSPs, will be applicable to all data controllers:
On the other hand, the special provision requiring OSPs to delete or separately store the personal information of data subjects who have not used the service for one year has been deleted. In sum, these changes represent a shift towards increased consistency and clarity in the application of data protection requirements under the PIPA.
Change in the scope of criminal penalties
The amended PIPA aims to substitute criminal sanctions with administrative penalties for certain violations of PIPA. Further, the amended PIPA removes the criminal penalty for data breaches caused by a failure to take data protection measures.
However, despite the general trend toward economic sanctions, the amended PIPA adds new types of violations that may be subject to criminal sanctions. These violations include obstruction of investigation by the authority by concealing, destroying, forging, or falsifying documents, or refusing access to premises.
Change in the scope of administrative penalties
Moreover, the amended PIPA aims to broaden the grounds for imposing administrative penalties. Before the amendment, ordinary data controllers (non-OSPs) were subject to administrative penalties only for violations such as the loss or leakage of Resident Registration Numbers or processing pseudonymised data to identify an individual, whereas the OSPs were subject to administrative penalties for a wider range of violations. Under the amended PIPA, all data controllers can face administrative penalties for a wider range of violations.
Change in the administrative penalty amount
Under the current PIPA, the administrative penalty applicable to OSPs is up to 3% of the ‘revenue related to the violation’. Under the amended PIPA, the base amount for the administrative penalty has been adjusted to the ‘total revenue’. To ensure that the penalty amount remains proportional to the severity of the violation, ‘revenue unrelated to the violation’ may be excluded from the calculation. However, if the data controller fails to submit the requested materials or provides false materials for calculating the base amount, total revenue will be used as the base amount. In effect, the burden of proving the relevant revenue now lies with the data controller.
Under the current PIPA, data controllers must obtain consent from data subjects before transferring personal information overseas. However, the amended PIPA has added new legal bases for the overseas transfer of personal information. These include situations where a special provision, treaty, or international agreement specifically allows the overseas transfer of personal information, where the recipient located overseas has obtained certification determined and announced by the PIPC, or where the transfer of personal information to a country or international organisation with an adequate level of protection determined by the PIPC.
The amended PIPA will continue to allow overseas transfer of personal information for entrustment (outsourcing) or storage purposes, provided that certain information is disclosed in the privacy policy or notified to the data subjects. However, an additional requirement has been added, that the transfer is ‘necessary to execute and perform a contract with the data subject’. The impact of this additional requirement on enforcement practices concerning overseas entrustment of personal data processing remains to be seen.
Furthermore, the amended PIPA authorises the PIPC to suspend any ongoing or future overseas transfer of personal information. The PIPC can issue a suspension order if an overseas transfer violates the PIPA (e.g. when an overseas transfer took place without legal grounds, or when the transferring data controller enters into a written contract concerning overseas transfer in violation of the PIPA), or when a data subject has experienced or is highly likely to experience harm due to the recipient failing to provide an adequate level of protection.
For more information about employee data privacy