South Korea’s comprehensive Personal Information Protection Act was enacted Sept. 30, 2011. It is one of the world’s strictest privacy regimes. Like the GDPR, it protects privacy rights from the perspective of the data subject and it is comprehensive, applying to most organizations, even government entities. It is not only applicable and strict, but its penalties — which include criminal and regulatory fines and even imprisonment — are enthusiastically enforced.
The nation has other, sector-specific, laws that relate to data protection that are not addressed here, such as the Act on Promotion of Information and Communication Network Utilisation and Information Protection, which is applicable to IT service providers; the Use and Protection of Credit Information Act, which applies to credit information used in credit ratings; and the Act on Real Name Financial Transactions and Guarantee of Secrecy, which applies to financial or financial services institutions.
It is also worth noting that on June 30 of last year South Korea became the fifth member to join to the APEC Cross Border Privacy Rules, joining the U.S., Japan, Canada and Mexico. For more information about the the Cross Border Privacy Rules, see this article.
The below table compares aspects of the GDPR directly with South Korea’s PIPA.
South Korea’s Personal Information Protection Act | GDPR | |
Purpose | To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. | To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. |
Material Scope | Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties. | Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. |
Territorial Scope | Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action. | Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union. |
Personal Data | “Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information). | Personal data means any information relating to an identified or identifiable natural person. |
Sensitive Personal Data | Sensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history dat, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects. | Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. |
Data Controller | The act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.” | Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Data Processors | "Personal information processor" means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR. | Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. |
Publicly Available Information | There is no specific exception to applicability that relates to publicly available information. | The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. |
Preventing Harm Principle | The law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive. | Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. |
Lawfulness, Fairness and Transparency | The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes. | Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
Purpose Limitation | An information processor should use personal information only for the purposes specified to the data subject in any applicable consent. | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
Data Minimization | A personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject. | Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
Accuracy | The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes. | Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. |
Storage Limitation | The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible. | Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject. |
Notice | The personal information processor shall make public its privacy policy and other personal information processing matters. The privacy policy must disclose: · The purpose of personal information procession. · The period for processing and retention of the personal information. · Any provision of the personal information to a third party (if applicable). · Any consignment of personal information processing (if applicable). · The rights and obligations of data subjects and how to exercise the rights. · Other matters in relation to personal information processing as stated in the Presidential Decree. | Articles 12, 13, and 14 address the requirement that a data controller provide notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. The notice must contain: · Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer · Purpose of the processing and the legal basis for the processing · The legitimate interests of the controller or third party, where applicable · Categories of personal data · Any recipient or categories of recipients of the personal data · Details of transfers to third country and safeguards · Retention period or criteria used to determine the retention period · The existence of each of data subject’s rights · The right to withdraw consent at any time, where relevant · The right to lodge a complaint with a supervisory authority · The source the personal data originates from and whether it came from publicly accessible sources · Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data · The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences. |
Choice and Consent | The law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent. The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations). | Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. |
Integrity and Confidentiality | The act imposes detailed technical and administrative measures for the security of personal information. The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc., necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged. | Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. |
Accountability | The personal information processor must appoint a privacy officer. The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials. | The controller must appoint a data protection officer. The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses. |
Access and Correction | The data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information. | The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject). |
Data Portability | Data subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability. | The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. |
Transfer of Personal Data to Another Person or country | A data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers. The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent. | When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification. |
Breach Definition | The law does not define a breach, but refers to it as an event where personal information has been breached. | Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. |
Breach Notification | The personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached. Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority. | The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons. |
Breach Mitigation | There’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage. | Notification to data subjects is not required if: · The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or · The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or · It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. |
photo credit: J. Patrick Fischer, Licensed under the Creative Commons Attribution-Share Alike 3.0