On April 20, 2022, the amended Location Information Protection Act (“LIPA”) and the amended LIPA Enforcement Decree entered into force. The amendment introduces a number of new rules for business operators, as well as changes to existing rules. Below are the key takeaways.
1. Shift from license system to registration system for personal location information business
Previously, operating a location information business involving personal location information required a license from the Korea Communications Commission (“KCC”). Under the amended LIPA, such businesses only need to register with KCC upon satisfying certain requirements (Article 5 LIPA).
2. Matters subject to registration/report of change
Prior to the amendment, changes in the location information system did not require a new license or filing a change report if the change did not lower the level of protection of personal location information.
Under the amended LIPA, any changes made to details of the location information system included in the KCC registration of a personal location information business provider or KCC report of a location-based service business provider or object location information business provider, must be registered or reported if there is a change in major facilities (e.g., servers) (Articles 4, 5-2 and 9 Enforcement Decree).
3. Consent to the purpose and period of retention of personal location information
If a location information business provider intends to collect personal location information or a location-based service business provider intends to use or provide personal location information to a third party, they are required to include specific terms in their terms and conditions and obtain consent from individuals. The amended LIPA adds the "purpose and retention period of personal location information" to these mandatory terms (Articles 18(1) and 19(1) LIPA).
4. Establishment and disclosure of personal location information policy
5. Destruction of personal location information
Before the amendment, the LIPA only provided that, in principle, personal location information must be immediately destroyed when the purpose of collection, use or provision of personal location information is achieved, but did not specify the method or procedure of destruction.
Under the amended LIPA and the Enforcement Decree, personal location information may be retained if required by law or if the individual separately consents to the retention of his/her personal location information (Article 23(1) LIPA and Article 26-2(2) Enforcement Decree). Further, when destroying personal location information, necessary measures, such as measures to prevent restoration or recovery of personal location information, must be taken (Article 23(2) LIPA and Article 26-2(1) Enforcement Decree). The amended LIPA introduces criminal penalties for failure to properly destruct personal location information and grants KCC the power to inspect compliance (Articles 23(3) and 40-2 LIPA).
6. Inspection of personal location information business
Under the amended LIPA, the KCC will inspect personal location information businesses on a regular basis, and at least once a year (former part of Article 36(3) LIPA). The inspection includes, among other things, the trade name of a personal location information business provider, changes in the location of the principal office or the location information system, the terms and conditions of use, the personal location information policy and the disclosure thereof, the organizational and technical measures taken for location information, and the retention and destruction of personal location information and data confirming the collection, use and provision thereof (Article 35(1) Enforcement Decree). For such inspection, the KCC may request the relevant personal location information business provider to submit necessary materials, such as relevant goods and documents (latter part of Article 36(3) LIPA), and the inspection will be conducted by means of a written investigation, on-site inspection, etc., but electronic methods, such as information and communications networks or e-mails, may be used (Article 35 (2) Enforcement Decree).
7. Imposition of administrative fine for violations of the LIPA
Prior to amendment, the KCC could only issue administrative fines as a substitute for business suspension orders. The amended LIPA now allows the KCC to impose administrative fines of up to 3% of the relevant sales revenue (or up to KRW 400 million if there is no sales revenue or if it is difficult to calculate the sales revenue) on business operators who commit certain violations, such as collecting, using, or providing personal location information without the consent of the individual, or using or providing personal location information to third parties beyond the scope specified in the terms and conditions (Article 14 LIPA).