The plenary session of the National Assembly voted to pass the proposed amendments to the Personal Information Protection Act (“PIPA”) on February 27, 2023. The amendments (“Amended PIPA”) will come into force six months after the promulgation by the President.
The amendment bill that was ultimately passed by the National Assembly had been partially revised during the review by the Legislation and Judiciary Committee since the version that was initially passed by the National Policy Committee (“NPC”) last year (“NPC Version”). Please refer to our previous newsletter (Link) for the details of the NPC Version. The key changes from the NPC Version are explained below.
-
The Amended PIPA adds a provision that allows data subjects to withdraw their data transmission requests (Article 35-2, Paragraph (5)).
-
The Amended PIPA excludes automatic decisions issued by administrative authorities from the scope of automated decisions (Article 37-2, Paragraph (1)) for the sake of consistency with the Framework Act on Administrative Affairs, which provides that an automatic decisions may be imposed only in accordance with other laws. The data subject’s right to object to an automatic decision by an administrative authority is expected to be discussed in relation to the law that provides for the grounds for such decision.
-
Under the current PIPA, a data controller may process “pseudonymized data” without the consent of the data subject for the purpose of compiling statistics, conducting scientific research and preserving records for the public interest (Article 28-2, Paragraph (1)). The NPC Version included “pseudonymization of personal information” itself in the scope of processing that can be performed without the consent of the data subject, but the Amended PIPA excludes this due to concerns that it can be misunderstood as expanding the scope of pseudonymization.
-
The NPC Version stipulated that if it would be impossible for the central government or a local government to perform its legal duties if it had to publicly display the fact that the government was filming in the course of operating a mobile visual data processing device, it did not have to notify such fact. The NPC Version also provided that in such case, the central or the local government would be required to give an ex post facto notice to data subjects that it was filming, as well as the purpose, date, time, and place of filming. However, the Amended PIPA deleted this exception because of the concerns that this could lead the government to use drones to surveil civilians. In conclusion, if the central or a local government uses a mobile visual data processing device, it must without exception display that it is doing so to the data subjects (Article 25-2, Paragraph (3)).
-
The NPC Version required the data controller’s “compliance with the Guidelines on Preparation of a Privacy Policy” be considered in assessing a privacy policy’s compliance with the PIPA. However, this was seen as inconsistent with Article 30, Paragraph (4) of the PIPA which only recommends data controllers to comply with the Guidelines on Preparation of a Privacy Policy. The Amended PIPA now reads that “whether matters required under the PIPA are included in the privacy policy” would be considered in assessing a privacy policy’s compliance with the PIPA (Article 30-2, Paragraph (1), Item one of the PIPA).
Other than the above, the Amended PIPA is not significantly different from the NPC Version. Other the key details and implications are as follows:
Integrated Regulations on Personal Information Processing |
|
[Key Points]
|
[Implications]
|
Shift from Criminal Sanctions to Financial Penalties |
|
[Key Points]
|
[Implications]
|
Strengthen the Rights of Data Subjects |
|
[Key Points]
|
[Implications]
|
The Amended PIPA is expected to bring about significant changes to the practices of protecting and using personal information, such as introducing the right to request transmission and the right to respond to automated decisions, integrating the previously binary regulations on data controllers and online service providers, and shifting the focus of sanctions to fines. However, the amendments leave a number of important matters to be determined in the Presidential Decree of the PIPA, such as (i) the method of displaying and notifying filming when operating mobile visual data processing devices, (ii) the scope of information that may be subject to transmission request, and (iii) the standards and procedures for automated decisions and what information must be disclosed for automated processing. Therefore, it is necessary to keep an eye on how the Presidential Decree of the PIPA will fine-tune the Amended PIPA.