With the enforcement on September 15, 2024 of Article 17, Paragraph (1) of the amended Enforcement Decree of the Personal Information Protection Act (the “PIPA”), listing the general principles when obtaining consent, the Personal Information Protection Commission (the “PIPC”) issued a press release on September 12, 2024, announcing that it plans to improve the current practice of obtaining mandatory consent for personal information processing in a phased manner (available in Korean, Link).
In announcing the plan, the PIPC noted that the legislative intent behind the amendment of the PIPA in 2023 was to establish a culture of informed consent, while eliminating the need for mandatory consent, which was required as a mere formality for personal information processing in relation to contracts. The PIPC added that the amended Enforcement Decree of the PIPA, which took effect on September 15, 2024, sets forth the principles in obtaining consent, one of which is to ensure that data subjects should be able to freely decide whether to give consent.
To this end, the PIPC provided some guidance on the cases where consent for personal information processing is required and the methods of obtaining consent as follows.
|
1.
|
Processing of Personal Information Necessary for a Contract Does Not Require Consent
A data controller may collect and use personal information, which is necessary in relation to a contract (e.g., a service use agreement), without the consent of the data subject. However, the data controller has the burden of proving that the relevant personal information is necessary information that can be processed without the data subject’s consent (Article 22, Paragraph (3) of the PIPA).
The PIPC stated that requiring data subjects to give their consent for processing of personal information even if such personal information is necessary in relation to a contract could be in violation of the principles set forth in the provisions on the methods of obtaining consent (Article 22 of the PIPA and Article 17, Paragraph (1) of the Enforcement Decree of the PIPA). The PIPC then explained that going forward, it is therefore necessary to (i) exclude such information from the scope of personal information whose processing is subject to mandatory consent and instead (ii) disclose such information in the privacy policy separately from the items of personal information collected and used with consent.
|
|
2.
|
Processing of Personal Information Not Related to a Contract Requires the Data Subject’s Freely Given Consent
If a data controller collects and uses personal information that is not necessary for the performance of a contract, the data controller must clearly inform the data subject of the details of consent so that he/she is fully aware of such details and allow him/her to freely decide whether to give consent.
The PIPC explained that restricting a data subject from freely deciding whether to give consent without any special circumstance when the relevant personal information is not necessary for the performance of a contract or failing to clearly notify the data subject of the details of consent may be in violation of the legal requirements for consent.
|
|
3.
|
Processing of Sensitive Information or Unique Identification Information Requires Mandatory Consent if Necessary for the Provision of a Service
If it is necessary to process sensitive information or unique identification information (other than resident registration numbers whose processing is still prohibited in principle) of a data subject for the performance of a contract or due to the nature of the service, the data controller must obtain separate mandatory consent for such processing as it does currently. However, if there is any applicable law permitting such processing without consent, consent is not required.
If sensitive information or unique identification information is not necessary for the performance of a contract or provision of a service, the data controller may process such information by obtaining optional consent freely given by the data subject.
|
|
4.
|
Provision of Personal Information to a Third Party
If a data controller needs to provide the collected personal information in order to perform the data controller’s contract with the data subject, the data controller may notify the relevant details to, and obtain mandatory consent from, the data subject. However, if the personal information is provided to a third party to the extent reasonably related to the original purpose of collection and if such provision can be reasonably expected by the data subject (Article 17, Paragraph (4) of the PIPA and Article 14-2 of the Enforcement Decree of the PIPA), consent may be exempted.
If personal information is provided to a third party beyond the scope of the original purpose of collection (Article 18 of the PIPA), separate consent from the data subject is required, but in this case, the data subject must be guaranteed the right to freely decide whether to give consent.
|
The PIPC plans to publish the Consolidated Guidelines on Personal Information Processing (the “Guidelines”) by the end of this year and provide specific case examples. The Guidelines are expected to present in a comprehensive manner the compliance requirements at each stage of personal information processing (i.e., the principles of personal information protection, collection, use, provision, destruction, methods of obtaining consent and delegation, among others). As this is an important change that may have a direct impact on the current practices of requiring mandatory consent, it would be necessary to continue monitoring the relevant developments of the PIPC, including the content of the Guidelines.
[Korean Version]
