On December 5, 2022, the National Policy Committee of the National Assembly passed a bill (the “Proposed Amendment”) to amend the Personal Information Protection Act (“PIPA”). The Proposed Amendment will go to the Legislation and Judiciary Committee of the National Assembly for its review of the structure and language and then will be submitted to the plenary session of the National Assembly for final voting. We currently expect the Proposed Amendment to be passed into law within this year.
The Proposed Amendment, which combines and consolidates most of the PIPA amendment bills submitted to the National Assembly so far, includes (i) expansion of data subject’s rights, such as data portability and the right to refuse, or request explanation on, automated decision-making, (ii) integration of separate PIPA provisions applicable to online service providers into the general PIPA provisions applicable to ordinary data controllers, and (iii) replacing criminal sanctions for certain violations of the PIPA with economic sanctions in the form of administrative penalties and fines, but with an upward adjustment in the penalty and fine base (from “relevant revenue” to “total revenue”).
We summarize the key aspects of the Proposed Amendment below.
Strengthening the rights of data subjects
To provide data subjects greater control over their personal information, the Proposed Amendment introduces the right of data subjects to request transmission of their own personal information to themselves or to a third party. The scope of data controllers subject to the transmission obligation will be determined in the Enforcement Decree. If transmission is made to a third party, the third party receiving the transmitted information must take security measures to safeguard such information and meet certain facility and technology standards to be set in the Enforcement Decree (Article 35-2).
The Proposed Amendment also introduces the right of data subjects to refuse or request an explanation of decisions made through the processing of personal information via a fully automated system (including systems applying artificial intelligence technology), if such automated decision significantly affects the rights or obligations of the data subject. If a data subject invokes this right, the data controller must not render an automated decision or give effect to an already rendered automated decision or take necessary measures, such as having a human being re-process the personal information, absent justifiable reasons (Article 37-2).
Unifying legal rules for data controllers and online service providers
The Proposed Amendment unifies the current bifurcated rules for “data controllers” and “online service providers” by deleting the special provisions that overlap with the general provisions applicable to data controllers, while moving the special provisions that apply only to online service providers to the general provision section. This will mean that going forward, the current statutory provisions applicable to data controllers will also apply to online service providers, while data controllers will become subject to certain new obligations that previously only applied to online service providers (e.g., notification of details of personal information use and designation of domestic agents).
In addition, the current obligation on the online service providers to delete or segregate dormant user information will be abolished due to significant negative feedback from the industry about inconveniences caused to the users and the online service providers.
Transition from criminal sanctions to economic sanctions
The Proposed Amendment substitutes criminal sanctions for certain violations of PIPA (e.g., failure to obtain consent for collection and use of personal information, failure to destroy personal information, data breaches due to failure to take data protection measures) with economic sanctions in the form of administrative penalties and fines, but with an upward adjustment in the base amount from the amount of the data controller’s “revenue specifically related to the violation” to the “total revenue” of the data controller (Article 64-2, Paragraph (1)). However, to ensure that the amount of the penalty is proportionate to the severity of the corresponding violation, the Proposed Amendment provides that “revenue unrelated to the violation be excluded from the total revenue [of the data controller]” in actually calculating the amount of the administrative fine (Article 64-2, Paragraph (2)).
Revision of requirements for processing personal information: The Proposed Amendment expands the bases on which personal information may be processed without consent from data subjects - for example, by allowing the use and provision of personal information without the consent of the data subject if “necessary to take certain measures requested by the data subject” in the course of performing or entering into an agreement with the data subject, or if it is clearly necessary for immediate protection of the life, body, or property of the data subject or a third party (even if obtaining prior consent from the data subject is possible).
Obligation to notify possibility of disclosure of sensitive information: The Proposed Amendment requires a data controller to give to a data subject prior notice of the possibility of disclosure of sensitive information and the method of electing non-disclosure if the information disclosed during the course of the data controller’s supply of goods or services may include the data subject’s sensitive information and such disclosure may infringe the data subject’s privacy (Article 23, Paragraph (3)).
Establishment of regulations on the operation of mobile visual data processing devices: The Proposed Amendment establishes standards for the installation and operation of mobile visual data processing devices, such as drones and autonomous vehicles. In particular, filming a person or an object related to a person at a public place using a mobile visual data processing device for work purposes is prohibited in principle, but such filming would be permitted in certain cases - for example, if the data subject does not expressly refuse to be filmed despite a clear indication of filiming by lights, sound, signboards, which are sufficient to inform the data subject of the filming (Article 25-2).
Additional bases for overseas transfer of personal information and establishment of the right to order suspension of such transfer: In addition to situations where the data controller has obtained consent from data subjects, the Proposed Amendment adds other bases for overseas transfer of personal information, such as transfer of personal information to a country or international organization recognized by the Personal Information Protection Commission (“PIPC”) as offering an adequate level of protection (Article 28-8). Further, the Proposed Amendment gives the PIPC the authority to issue an order to suspend overseas transfer of personal information if a data subject has suffered, or is highly likely to suffer, damages (Article 28-9).
Increase in the maximum punitive damages amount: The current law introduced a “punitive damages system” in July 2015, allowing courts to set the compensation for damages to an amount that does not exceed three times the amount of the actual damages incurred by the data subject due to willful misconduct or gross negligence of the data controller. The Proposed Amendment raises this amount from three times to five times the amount of actual damages incurred by the data subject (Article 39, Paragraph (3)).
Expansion of the mandatory scope of participation in dispute mediation: The Proposed Amendment requires not only public institutions but also private data controllers to submit to dispute mediation (Article 43, Paragraph (3)) and grants the Dispute Mediation Committee the right to conduct fact-finding investigations, thereby prohibiting data controllers from refusing the Dispute Mediation Committee access to its premises or materials (Article 45, Paragraph (2)).
If the Proposed Amendment passes the plenary session of the National Assembly, it will take effect six months after the promulgation by the President, except that the right to refuse or request explanation on fully automated decisions will take effect one year after the promulgation, and the right to request the transmission of personal information will take effect as of the date prescribed in the Enforcement Decree, at least one year after the date of promulgation but no later than two years after the promulgation.
Although there are still a number of procedures left until passage into a law, we understand that the PIPC still expects the Proposed Amendment to be passed before the year-end. Companies are advised to closely monitor the progress of the Proposed Amendment given the significant changes contemplated by the Proposed Amendment.