Data protection in South Korea: overview

A Q&A guide to data protection in South Korea.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

In South Korea (Korea), the general law regulating privacy and data protection is the Personal Information Protection Act (PIPA).

Sectoral laws

There are many sector specific laws that apply in conjunction with the PIPA. The main example is the Act on the Promotion of IT Network Use and Information Protection (Network Act) that regulates electronic and online data privacy issues.

Other examples include the:

  • Use and Protection of Credit Information Act (provides privacy rules that are applicable to personal credit information).

  • Use and Protection of Location Information Act (regulates companies that collect, use or share (or are able to collect, use or share) the location information of a living individual or moveable objects).

  • Communications Secrecy Act (regulates the wiretapping of telecommunications and the protection of the confidentiality of communications).

Scope of legislation

 
2. To whom do the laws apply?

Personal Information Protection Act (PIPA)

The PIPA applies to personal information processing organisations that are defined as all persons, organisations, corporations and governmental agencies that process personal information for business purposes.

The Act on the Promotion of IT Network Use and Information Protection (Network Act)

The Act on the Promotion of IT Network Use and Information Protection (Network Act) provides measures for protecting the personal information of "users" who are defined as all individuals that use the telecommunications services provided by online service providers. Online service providers are defined as:

  • Telecommunications service providers as provided in Article 2, Item 8 of the Telecommunications Business Act; and

  • Other persons who provide information or intermediate the provision of information for the purpose of earning profit, by utilising the services rendered by telecommunications service providers.

Online service providers include commercial website operators as well as telecommunications service providers.

 
3. What data is regulated?

The Personal Information Protection Act (PIPA) regulates personal information. It is defined as information that relates to a living individual, by which the individual can be identified on its own or when easily combined with other information. Examples of personal information include the following:

  • Name.

  • Address.

  • Photographs.

The Act on the Promotion of IT Network Use and Information Protection (Network Act) has a very similar definition of personal information. However, the Network Act only regulates the personal information of users (see Question 2).

The Korea Communications Commission (KCC) is the regulatory authority for the Network Act and interprets the definition of personal information broadly to include:

  • The registered members of a website who use the services provided by the website.

  • Individuals that inquire about the services provided by the website before registering as members.

  • Individuals that participate in one single event hosted by the website.

 
4. What acts are regulated?

The main acts regulated by the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) are the collection, use, provision, outsourcing, storing, and destruction of personal information. The PIPA regulates the processing of personal information and broadly defines processing as including the collection, production, association, connection, recording, storing, possession, treating, editing, searching, output, correction, restoration, use, provision, disclosure, destruction, and other similar acts.

 
5. What is the jurisdictional scope of the rules?

The Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) do not specifically address whether the laws apply to foreign organisations or acts occurring abroad. However, the standard used by regulatory authorities (including the Korea Communications Commission (KCC)) to determine the application of the laws with regard to foreign organisations, is whether the foreign organisations targeted Korean users. For example, in the case of foreign website operators, the KCC will likely consider the following factors to determine whether the Network Act applies:

  • The location of the website's server.

  • Whether the website is written in the Korean language and the website uses a Korean domain name

  • Whether the website conducts promotional activities in Korea.

In January 2014, the KCC fined a multinational corporation approximately KRW200 million for collecting Korean users' personal information without properly obtaining their consent. This was the first time that the KCC had imposed an administrative fine on a foreign organisation.

 
6. What are the main exemptions (if any)?

The Personal Information Protection Act (PIPA) does not apply to personal information that falls under the following categories:

  • Personal information handled by public agencies that was collected under the Statistics Act.

  • Personal information that was collected or requested for the purpose of conducting analysis related to national security.

  • Personal information that is temporarily processed due to an urgent need based on public safety and welfare concerns, for example, public hygiene.

  • Personal information that is collected and/or used by the:

    • media (for news collecting and reporting);

    • religious organisations (for missionary work);

    • political parties (for the nomination of a candidate in an election).

In contrast, the Act on the Promotion of IT Network Use and Information Protection (Network Act) does not include any exemptions.

Notification

 
7. Is notification or registration required before processing data?

There are no notification or registration requirements before processing data. However, there are notification requirements that must be met before processing data subjects' personal information (see Question 12).

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) include provisions that address the following:

  • The necessary requirements for an entity to order, collect, use, transfer, outsource or otherwise process personal information.

  • Technical and managerial protective measures that an entity must take to securely store personal information.

  • The rights afforded to data subjects and users.

  • An entity's obligations regarding the protection of personal information, including the requirement to create and publish a privacy policy and the appointment of a chief privacy officer (CPO).

  • Measures that must be taken by an entity in case of the loss of data.

Failure to comply with the PIPA or the Network Act can result in administrative fines and criminal sanctions.

 
9. Is the consent of data subjects required before processing personal data?

The consent of data subjects is required under the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) before processing personal information. Consent must be obtained in a manner provided under the applicable laws and sub-regulations in order to be valid. The following are examples of methods of obtaining valid consent:

  • The data subject's signature or seal on a document that includes the information that is being consented to.

  • The data subject indicating his consent on a website (for example, by checking a box) that includes the information that is being consented to.

  • Sending an email to the data subject that includes the information that is being consented to and the data subject responds expressing his consent.

To process the personal information of data subjects under the age of 14, consent must be obtained from their legal guardian.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

The main grounds for processing personal information without the data subjects' consent are in cases where the processing of personal information is provided by statute and where it is necessary for an entity to process personal information to comply with its legal obligations.

There are additional grounds under the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act). The PIPA permits the collection and use of personal information without the data subjects' consent in the following circumstances:

  • When it is necessary in order to enter into or execute a contract with the data subject.

  • When the information is necessary for the safety and property interests of the data subject or a third party (if obtaining prior consent is too difficult because the data subject is unable to express his intention, or because the address is unknown).

  • When it is necessary to achieve a legitimate interest of the personal information processing organisation and the interest clearly supersedes that of the data subject. There must be an important relationship between the collection and use of personal information and the legitimate interest of the data controller and the use must not exceed a reasonable limit.

Special rules

 
11. Do special rules apply for certain types of personal data, such as sensitive data?

The Personal Information Protection Act (PIPA) defines sensitive information as personal information concerning an individual's:

  • Ideology.

  • Faith.

  • Labour union membership.

  • Political views or membership in a political party.

  • Health or medical treatment.

  • Sexual orientation.

  • Genetics.

  • Criminal record.

Sensitive information can be processed if the processing is required or permitted by statute or the consent of the data subject is separately obtained.

In addition, the PIPA defines "unique identification information" as an individual's:

  • Resident registration number.

  • Passport number.

  • Driver's license number.

  • Foreign registration number.

Forms of unique identification information (except resident registration numbers) can be processed if the processing is required or permitted by statute or the consent of the data subject is separately obtained. However, resident registration numbers can only be processed if a statute or regulation specifically authorises or requires the processing (the data subject's separate consent is not a sufficient basis for processing resident registration numbers).

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

Personal Information Protection Act

The information that must be provided to data subjects when obtaining their consent will depend on what the data subject is consenting to.

Under the Personal Information Protection Act (PIPA) data subjects must be informed of and provide their consent to the following before their personal information is collected and/or used:

  • Purpose of the collection and use.

  • Items of personal information that will be collected.

  • Duration of the possession and use of the personal information.

  • The data subject's right to refuse to give consent and the consequences of any such refusal.

In addition, the PIPA requires data subjects to be informed of and provide their consent to the following before their personal information is passed to a third party:

  • Name of the third party.

  • Items of personal information that will be provided.

  • The third party's purpose of use of the personal information.

  • The third party's period of retention and use.

  • The data subject's right to refuse to give consent and the consequence of any such refusal.

The Act on the Promotion of IT Network Use and Information Protection

The Act on the Promotion of IT Network Use and Information Protection (Network Act) has similar notification and consent requirements to the PIPA. However, unlike the PIPA, the Network Act also requires online service providers to obtain users' express consent:

  • Before outsourcing the processing of the data subjects' personal information to a third party.

  • When transferring the users' personal information to an overseas entity (see Question 20).

 
13. What other specific rights are granted to data subjects?

Under the Personal Information Protection Act (PIPA) data subjects have the following rights with regard to their personal information:

  • The right to request how the personal information is being processed.

  • The right to request the correction or deletion of the personal information.

  • The right to suspend the processing of the personal information.

The Act on the Promotion of IT Network Use and Information Protection (Network Act) provides data subjects with:

  • The right to revoke consent.

  • The right to review a copy of the personal information being processed, and the status of any processing.

  • The right to request a correction of any error(s).

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects can request the deletion of their personal information and the suspension of the processing of their personal information (see Question 13). However, data subjects cannot request the deletion of personal information that was collected under a statute that specifically authorised or required the collection. In addition, data controllers can refuse a data subject's request for the suspension of processing if its basis for refusal is one of the grounds prescribed under the Personal Information Protection Act (PIPA). For example, where there exists a likelihood of a risk to another person's life or bodily harm or an infringement on another person's property or other interests.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) include detailed technical security and administrative requirements. The main requirements are as follows:

  • Establishment and implementation of an internal management plan for the secure processing of personal information.

  • Restriction of access rights to personal information.

  • Installation and operation of an access restriction system (for example, intrusion prevention systems and intrusion detection systems) for preventing illegal access to and leakage of personal information.

  • Application of encryption technology to enable secure storage and transfer of personal information.

  • Storage of access logs regarding access to the personal information processing system.

  • Installation and updating of security programs.

  • Establishment and implementation of password creation rules.

  • Taking of appropriate physical measures, such as the establishment of secure storage facilities for personal information and the use of locking devices.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Under the Personal Information Protection Act (PIPA) when a data controller becomes aware that personal information has been leaked, they are required to:

  • Provide individual notices to the data subjects.

  • File a personal information leakage report to the Ministry of Government Administration and Home Affairs (MOGAHA) or the Korea Internet Security Agency (KISA).

The PIPA's reporting requirement is only triggered if the data breach meets the threshold determined by the Enforcement Decree of the PIPA (currently set at data breaches where the personal information of over 10,000 individuals has been leaked). This is unlike the reporting requirement under the Promotion of IT Network Use and the Information Protection (Network Act) (see below) that is triggered regardless of the number of affected data subjects,

Under the Network Act, if there is an intrusion incident, the affected online service provider is required to report the incident to the Ministry of Science, ICT and Future Planning or the Korea Internet Security Agency (KISA). The Network Act defines an "intrusion incident" as an incident that is caused by an attack on the information network or the related information system through hacking, computer virus, logic bomb, e-mail bomb, denial of service or high-powered electromagnetic wave. If the intrusion incident results in the leakage of personal information, the affected online service provider is required to file a personal information leakage report to the Korea Communications Commission (KCC) and provide individual notices to users.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

For transfers of personal information to third party entities, both the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) differentiate between the:

  • Provision of personal information to a third party (third party provision).

  • Outsourcing of personal information processing. (The processing of data by a third party on behalf of the data controller will likely be considered an outsourcing of personal information processing).

Under the PIPA, if the data transfer occurs in the context of an outsourcing, data controllers must comply with the PIPA's requirements for outsourcing:

  • A written outsourcing agreement or a similar document must be in place, containing certain legally-required provisions (see Question 22).

  • The outsourcing company must disclose the details of the outsourcing arrangement (that is, the name of the outsourcee company and the purpose of outsourcing) and include the details in the company's privacy policy.

  • In addition, if the outsourcing entity outsources a service that results in advertisements or recommendation of goods and services, the details of the outsourcing arrangement must be notified to each data subject. However, the PIPA does not require data controllers to obtain the data subject's consent for outsourcing.

Under the Network Act, online service providers must obtain consent from the users when it outsources the personal information processing to a third party. However, the online service provider is exempted from the consent requirement for outsourcing if the use of an outsourcee company is necessary to perform its contractual obligations and enhance users' benefits, and the matters relating to the outsourcing are disclosed in the privacy policy or are otherwise notified to the users.

The Network Act does not specifically require an underlying outsourcing agreement for outsourcing arrangements. However, legal commentators have expressed the view that where an existing law is silent on a particular topic (for example, the need for an underlying outsourcing agreement) the more general PIPA requirement should govern to the extent that it applies. The Korea Communications Commission (KCC) also considers that a written outsourcing agreement or similar document is necessary.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

Under the Act on the Promotion of IT Network Use and Information Protection (Network Act) data controllers must establish and disclose a detailed privacy policy on the processing of personal information. This includes information on any installation and operation of devices used to automatically collect personal data (such as cookies) and methods to reject the installation of such devices.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Prior consent (opt-in approach) is required for spam that is transmitted electronically. However, for recipients whose contact information was obtained directly in the course of a business transaction (such as the sale of goods), spam about the subject of the business transaction can be sent for up to six months (starting from the end-date of the business transaction) without obtaining the recipients' prior consent.

In addition:

  • Spam must be accompanied by the sender's name and contact information, as well as instructions for the recipient to withdraw consent or stop receiving spam.

  • Specific marking requirements apply for the subject lines of emails and text messages.

  • If consent to receive spam is obtained, the consent must be newly obtained every two years.

  • Separate and additional consent must be obtained to send spam via text message between 9pm and 8am. This requirement does not apply to spam that is sent via email.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The requirements that apply for international data transfers (including those made among affiliate entities) vary depending on whether the data transfer constitutes a third party provision or the outsourcing of personal information processing.

Under the Personal Information Protection Act (PIPA) if an international data transfer occurs in the context of a third party provision, the consent requirements outlined in Question 12 must be met. However, if the international data transfer occurs in the context of an outsourcing, the requirements for outsourcing under the PIPA must be complied with (see Question 17).

Under the Act on the Promotion of IT Network Use and Information Protection (Network Act) if there is an international transfer of the users' personal information, online service providers must comply with certain requirements depending on the context of the international data transfer. If the international data transfer occurs in the context of a third party provision, the consent requirements outlined in Question 12 apply. If the international data transfer occurs in the context of an outsourcing, the consent requirements still apply. This is because the Network Act requires online service providers to obtain consent from users before outsourcing personal information to a third party.

In addition, if a user's personal information is transferred to an overseas entity, the Network Act requires online service providers to disclose and obtain the user's consent, regarding the following:

  • The specific information to be transferred overseas.

  • The destination country.

  • The date, time, and method of transmission.

  • The name of the third party and the contact information of the person in charge of the personal information held by the third party.

  • The third party's purpose of use of the personal information and the period of retention and use. This is a separate and independent requirement that applies irrespective of whether the transfer constitutes a provision of personal information to a third party or outsourcing.

Under the Network Act and its sub-regulations, if users' personal information is transferred overseas, online service providers must also take measures to protect the personal information, including:

  • Technical and managerial measures to protect the personal information.

  • Measures for processing complaints, and dispute resolution for infringement of personal information.

  • Other measures that are necessary for the protection of personal information.

All of the information listed above must be reflected in the agreement that is executed between the online service provider and the overseas entity.

 
21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

In the financial sector, financial institutions must file a report with financial regulatory authorities or obtain the authorities' approval in cases where they outsource the processing of financial information to an overseas entity or use an overseas entity's facilities in the course of processing financial information. However, there is no general requirement to store certain types of personal data in Korea.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Outsourcing of personal information processing

The Personal Information Protection Act (PIPA) requires a written outsourcing agreement or similar document to be in place that contains certain information:

  • Purpose and scope of outsourcing.

  • Limitations on the scope of outsourcing (for example, the prohibition of processing personal information for any other purpose other than the purpose of outsourcing, and the limitation on sub-outsourcing).

  • Technical and managerial protective measures.

  • Matters on supervision, for example arranging inspections of the current management system of personal information in relation to the outsourcing.

  • Provision on compensation for damages in cases where the outsourcee company breaches its duties.

The contracting parties are required to include the above details in their written outsourcing agreement, as there are no standard forms that have been approved by national authorities.

Third party provision

There is no requirement to have a data transfer agreement in place in addition to the consent requirement (see Question 12).

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

See Questions 21 and 22.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The national regulator does not need to approve the data transfer agreement.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The Ministry of Government Administration and Home Affairs (MOGAHA) is responsible for enforcing the Personal Information Protection Act (PIPA). The MOGAHA can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the PIPA. In addition, once a violation of the PIPA is confirmed, the MOGAHA can impose administrative penalties, such as corrective orders and fines, and refer the case for criminal prosecution.

The Korea Communications Commission (KCC) and the Ministry of Science, ICT and Future Planning are responsible for enforcing the Network Act. Both authorities are authorised to take similar measures to the MOGAHA.

The PIPA and the Act on the Promotion of IT Network Use and Information Protection (Network Act) both provide criminal sanctions as penalties for violations and, to the extent that they apply, the corresponding criminal investigation and indictment proceedings will be handled by the police and the prosecutor's office (see Question 26).

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

The regulatory authorities impose administrative and criminal penalties for the violation of data protection laws. In addition, entities can be subject to civil liability if their non-compliance caused data subjects to incur damages.

The MOGAHA (Ministry of Government Administration and Home Affairs), the Korea Communications Commission (KCC) and the Korea Internet Security Agency (KISA):

  • Proactively conduct onsite audits of entities in various industries.

  • Investigate violations after they occur.

For example, the recently established Joint Criminal Investigation Team for Personal Information is currently investigating a:

  • Major retailer that allegedly sold customer information to third parties without the data subjects' consent.

  • Major telecommunications company regarding its alleged collection of patients' health information without obtaining the required consent.

 

Regulator details

Ministry of Government Administration and Home Affairs (행정자치부)

W www.mogaha.go.kr

Main areas of responsibility. Main areas of responsibility include:

  • Ensuring that personal information processing organisations' comply with the PIPA. Investigate their handling of personal information.

  • Enacting and amending the PIPA and related regulations.

  • Conducting investigations and imposing sanctions in connection with violations of the PIPA.

  • Improving Korea's privacy regime.

Korea Communications Commission (방송통신위원회)

W www.kcc.go.kr

Main areas of responsibility. Main areas of responsibility include:

  • Establishing and regulating policies on broadcasting and telecommunications.

  • Protecting users.

  • Establishing measures for protecting personal information.

  • Conducting investigations.

  • Imposing sanctions in connection with violations of the Network Act.

  • Regulating broadcast advertisements and enforcing related policies.



Online resources

W www.law.go.kr

Description. The official site operated by the Ministry of Government Legislation, which can be used to access various laws and precedents in Korea. The website is not available in English.

W http://elaw.klri.re.kr

Description. The website is operated by the Korea Legislation Research Institute, and provides unofficial English translations of various laws that are currently in effect in Korea.



Contributor profiles

Jin Hwan Kim, Senior Attorney

Kim & Chang

T +82 2 3703 1291
F +82 2 737 9091
E jhkim4@kimchang.com
W www.kimchang.com

Professional qualifications. Member of the Korean Bar Association, 1995; Member of the New York Bar Association, 2006

Areas of practice. Privacy; data security

Languages. Korean, English

Professional associations/memberships. Korean Bar Association

Brian Tae-Hyun Chung, Senior Foreign Attorney

Kim & Chang

T +82 2 3703 1078
F +82 2 737 9091
E thchung@kimchang.com
W www.kimchang.com

Professional qualifications. Member of the New York Bar Association, 1997

Areas of practice. Privacy; TMT; antitrust.

Languages. English, Korean

Professional associations/memberships. New York Bar Association

Jennifer S. Keh, Foreign Attorney

Kim & Chang

T +82 2 3703 1779
F +82 2 737 9091
E jennifer.keh@kimchang.com
W www.kimchang.com

Professional qualifications. Member of the California Bar Association, 2007

Areas of practice. Privacy; anti-trust and competition; cross-border disputes.

Languages. English, Korean

Professional associations/memberships. California Bar Association

Publications. The Privacy, Data Protection and Cybersecurity Law Review (Edition 1): "Korea" chapter (Co-author, Law Business Research, 2014).

In Hwan Lee, Attorney

Kim & Chang

T +82 2 3703 1827
F +82 2 737 9091
E inhwan.lee@kimchang.com
W www.kimchang.com

Professional qualifications. Member of the Korean Bar Association, 2007

Areas of practice. Privacy; health; antitrust & competition.

Languages. Korean, English

Professional associations/memberships. Korean Bar Association

Publications. The Privacy, Data Protection and Cybersecurity Law Review (Edition 1): "Korea" chapter (Co-author, Law Business Research, 2014)


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248038062230", "objName" : "Data protection in South Korea overview", "userID" : "2", "objUrl" : "http://uk.practicallaw.com/cs/Satellite/resource/2-579-7926?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "22e97be00:15afba9b95a:6a99", "analyticsSessionCookie" : "22e97be00:15afba9b95a:6a9a", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }