|
|
|
|
|
|
Newsletter | November 2015, Issue 3
|
|
|
|
|
|
|
TECHNOLOGY, MEDIA & TELECOMMUNICATIONS
|
|
|
|
Amendment to PIPA – Why Should Your Company Ensure Greater Privacy and Data Security Compliance?
|
|
|
|
On July 24, 2015, the Amendment (the “Amendment”) to the Personal Information Protection Act (“PIPA”) was promulgated. The Amendment introduced a new punitive and statutory damages scheme, and it increased criminal penalties for crimes related to personal information.
|
|
|
|
While the Amendment is currently effective, certain provisions, such as those related to the punitive and statutory damages scheme, will come into effect in July 2016, one year from the date of the promulgation.
|
|
|
|
Once effective, we expect the Amendment’s provisions, especially those concerning damages, to increase the need for companies to ensure privacy and data security compliance.
|
|
|
|
1. Introduction of Punitive and Statutory Damages Scheme
| |
|
|
| A. |
Punitive Damages
|
|
Under the Amendment, courts will be able to award damages that exceed the actual damages incurred by the subject of the data breach.
|
|
|
Specifically, the Amendment provides that “if the personal information processing organization’s willful misconduct or gross negligence leads to the loss, theft, leakage, forgery, modification or damage of personal information[,] and thereby causes the data subject to incur damages, a court may award damages up to three times the amount of actual damages.”
|
|
|
Before awarding such punitive damages, the Amendment requires the courts to conduct a “totality of the circumstances” analysis. Factors that must be considered include the scope of damages resulting from the misconduct, the economic benefits that were obtained through the misconduct, and the measures taken by the personal information processing organization to remedy the damages incurred by the data subject.
|
|
|
However, the Amendment exempts a personal information processing organization from such punitive damages if it can establish that it did not engage in willful misconduct or gross negligence.
|
|
|
|
|
|
| B. |
Statutory Damages
|
|
The Amendment also includes a statutory damages scheme, recognizing that it is practically difficult for a data subject to prove the amount of damages actually incurred.
|
|
|
Specifically, the Amendment provides that if the personal information processing organization’s willful misconduct or negligence caused the loss, theft, leakage, forgery, modification or damage of personal information, data subjects may claim up to KRW 3 million without having to prove the actual amount of damages. However, if a personal information processing organization can establish that it did not engage in willful misconduct or negligence, the Amendment exempts such an organization from liability.
|
|
|
Both damages schemes will apply to claims for violations that occur after the Amendment becomes effective.
|
|
|
|
|
|
2. Increased Criminal Penalties for Crimes Concerning Personal Information and Other Measures
| |
|
|
The Amendment increases the penalties that may be imposed for criminal use of personal information.
| |
|
|
Under the Amendment, criminal sanctions of up to 10 years of imprisonment or a criminal fine of up to KRW 100 million may be imposed for obtaining personal information through unlawful means, and providing such information to a third party for the purpose of earning a profit or for other unlawful purposes.
| |
|
|
The Amendment also allows the government to confiscate any unlawful profits that were obtained by personal information processing organizations through unlawful distribution of personal information.
| |
|
|
Further, the Amendment imposes an administrative fine for violating the requirement to encrypt resident registration numbers (will be enforced starting January 1, 2016). The Amendment also provides government agencies with additional enforcement measures, including the right to recommend improvements to privacy-related policies, and issue requests for documents to ensure compliance.
| |
|
|
Back to Main Page
|
|
|
|
|
|
If you have any questions regarding this article, please contact below:
|
|
|
|
|
|
|
|
For more information, please visit our website:
|
|
|
|
|
|
|
|