On January 9, 2020, the National Assembly passed the amendments to Korea's three main data privacy laws—the Personal Information Protection Act ("PIPA"), the Act on the Promotion of the Use of the Information Network and Information Protection (the "Network Act"), and the Credit Information Use and Protection Act (the "Credit Information Act").  The amendments will become effective six months from the promulgation by the President, except for certain provisions in the Credit Information Act, which will come into effect in one to one and a half year after the promulgation, to be specified in the Presidential Decree. 

The amendments (i) clearly distinguish among personal data, pseudonymized data and anonymized data, and enact detailed provisions on the processing of pseudonymized data; (ii) transform the Personal Information Protection Commission ("PIPC") into the central data privacy regulatory authority; (iii) transfer to the PIPA all privacy provisions in the previous Network Act relating to online service providers; and (iv) clarify that the Credit Information Act, which used to apply mostly to the financial institutions, now also apply to all commercial companies and grant the PIPC with the authority to request information, to investigate, to conduct on-site investigations, and to impose corrective orders and administrative fines for the purpose of enforcing the Credit Information Act.  In view of these wide-ranging changes, it is recommended that companies review the amendments and determine whether any changes to their privacy and data protection framework will be necessary.   

Please see the attachment for a summary of the key changes introduced by the amendments and how the new application of the Credit Information Act will differ from the application of the PIPA.