Operating an international business in South Korea requires knowing not only the market context but also important South Korean data privacy laws. But for the majority of companies, complying with South Korean data protection laws can seem difficult as South Korea has one of the strictest data privacy laws in the international business space. And failure to comply with these laws can attract heavy penalties.
In September 2021, Facebook was fined $5.6million by PIPC for violating various South Korean PIPA requirements. In the same vein, Netflix was hit with a fine of $190,000 for unlawful collection of users’ data and transferring these data without notice, thereby violating Korea’s data localization requirement. But the good news is, your company doesn’t have to make the same mistakes these companies made.
To help companies transact smoothly in South Korea without having a bout with relevant authorities, we will be taking a tour of important Korean data privacy laws must adhere to.
Who does Korean data privacy laws apply to?
For better context, we have categorized the application of South Korean data protection laws into 2 strata, and we intend to look at them in detail below:
The general application
An interpretation of the Korean PIPA suggests that any person, agency, organization, public body, etc that uses or handles data in any capacity is bound by this law. We will discuss the PIPA law in detail as we forge on.
The specialized application
Korea has also enacted other privacy laws focused on specific industries. For instance, the ICNA binds digital service providers, while the CIA regulates credit information businesses. Also, the LIPA governs those providing location-based businesses.
Key definitions of Korean data protection laws
Korea has earned a seat in the hall of fame for countries with significant data localization requirements. Below, we will look at some key terms in Korean data protection laws according to PIPA.
- Data controller: contextually, a data controller is a person, public corporation, or institution that collects, uses, and processes users’ personal data in the natural course of business.
- Data processor: this is an entity(third party) engaged by the controller to receive and manage users’ information on its behalf.
- Personal data: these are details that define a person or when combined, can help in identifying a person. Such details include a specific individual’s full name, sex, resident registration digit, or image.
- Sensitive data: these are personal details about a person that the mismanagement of such details may give rise to a breach of privacy. These details include information about a person’s school of thought, religious standing, political views, health, criminal records, genetic info, etc.
- Health data: PIPA Korea did not expressly define what amounts to health data, but the PIPC guidelines defined health data to cover information regarding an individual’s present and past medical records.
- Pseudonymization: pseudonymized data is the act of processing personal details until they can not be relied upon to identify an individual without deleting, replacing, or adding extra information.
- Data collection: this is the process involved in data generation, collection, processing, disclosure, or destruction of personal details.
- Data subject: this is the individual who is the subject matter of the collected data by which he or she can be recognized.
- Anonymized information: this refers to users’ details that, even when combined with other details, can not be used to identify a specific individual.
Controller and processor obligations according to data privacy laws in Korea
South Korea’s data protection law provides comprehensive obligations that must be met by data controllers and data processors. These obligations are covered in Chapter III of the PIPA. Let’s take a look at some of these obligations.
Data controller
- A data controller is obliged to collect personal information from the data subject and also inform them of the purpose of collection, the details to be collected, and the time frame during which the information will be retained.
- The Act also empowers the data controller to share details of the users with third parties, provided consent has been duly obtained from the user.
- The data controller shall, after processing personal information obtained from a third party, notify the users of the source and purpose of the personal information obtained.
- A data controller is expected to destroy the personal information of the users after the expiration of the timeframe for which it was obtained and processed. And also adopt such preventive measures necessary to ensure this personal information is not stolen, misappropriated, or damaged.
- Lastly, data controllers are obligated to develop a personal information processing policy in line with the provisions of Article 32.
Data processor
In line with the definition of a data controller under PIPA, Data processors are likely to be legally bound by the same obligations that govern data controllers. Therefore, where a third party (data processor) violates the stipulated obligations, that third party will be considered an employee of the data controller for liability purposes. The data controller will therefore be held vicariously liable for such violation.
What data privacy laws will affect your business in Korea?
Not certain about the data privacy laws that will affect your business? Check out the following.
Credit Information Act
The CIA’s goal is to promote the best possible use and administration of credit information while protecting users’ privacy against credit information misuse and infringement. Credit information means any information stipulated by a Presidential Decree to be essential in determining the creditworthiness of a party to financial or commercial transactions.
Article 2(5) defined a credit information company as an entity permitted by the Financial Service Commission to transact in the credit information business. While Article 7 defined a credit information provider/user as a legal person or entity permitted by a Decree to offer credit information gotten in the course of running his or her business to a third party.
Article 4(4) restricts that any individual or entity who chooses to operate any business that relies on credit information must apply and obtain permission from the Financial Service Commission before commencing operation.
Companies dealing in credit information may collect, investigate and process credit information. However, when this is done, the company or business must clarify the purpose of such collection, investigation, and processing.
Article 14 restricts a company engaged in the operation of a credit information business can get its license revoked if it got its license through fraud or if it violates any other terms and conditions.
Location Information Act
LIPA was introduced to protect the privacy of Korean citizens by ensuring that businesses utilizing location-based information do not misuse or mismanage such information. Article 2(1) defines location information to mean information about where a person has resided at a given point in time.
The LIPA also expressly prohibits individuals or businesses from collecting, using, or providing location information of a person or mobile objection without obtaining first consent from the subject.
PIPA
PIPA is a general and comprehensive statute enacted to preserve the privacy of the personal details of individuals from unauthorized collection, usage, or disbursement. Personal data here means details by which a person can be recognized.
The Act provides that personal information can only be obtained after consent has been given and in circumstances where it is absolutely required. Hence the Data controller is mandated to furnish the users with the necessary information as to why the information was obtained and the duration it plans to hold the details.
The Act also precludes data controllers and third parties from using personal information beyond the scope it was provided for. And if the data controller obtains users’ details from a third party, it must after processing the data notify the data subject of the source and purpose for which the data was collected.
The PIPA Act, when compared to other data residency laws by country, is one of the strictest privacy laws in the international space, and violating the Act will attract strict penalties. But not to worry, our data residency-as-a-service solution got your company covered.
How can businesses become PIPA compliant?
To become PIPA compliant, organizations in the public and commercial sectors are subject to many South Korea PIPA checklists, such as notifying data subjects and other authorities, like the Korean Communications Commission, immediately after a data breach (KCC). The following must also be put in place by a business as part of the PIPA Compliance requirement:
- Data Security: Under PIPA, data controllers are required to take the technical, administrative, and physical measures essential to secure personal information from loss, theft, leakage, manipulation, or damage.
- Formal Policy Statement: Organizations must produce a formal policy statement outlining their security practices.
- Internal Privacy Officer: An internal privacy officer must be hired, regardless of the size or kind of the firm. In the event of a breach, the internal privacy officer shall be held responsible and be the focus of any criminal investigations.
How to stay compliant with Korean data privacy laws
It’s risky to attempt to attain data privacy laws on your own. InCountry eliminates the difficulty of complying with data regulations. InCountry solution is giving multinational corporations more say over the location of their data storage, which in turn aids them in meeting local data residency regulations. InCountry offers a global data residency-as-a-service solution that can help your company to localize the Korean customers’ data.
If you want to run a data privacy law-compliant business in South Korea, kindly contact us. We’d love to help your business stay compliant.