Skip Navigation
KO EN JP CN
Intellectual Property Careers
Menu
Intellectual Property Careers
Locations Contacts
Close
Search
Newsletters

State Council Adopts Amendment to PIPA Enforcement Decree

2023.09.20
Audio Print

On September 5, 2023 the State Council adopted and promulgated the amendments to the Enforcement Decree of the PIPA which were announced by the Personal Information Protection Commission (the “PIPC”) on May 19, 2023. The amended Enforcement Decree entered into force together with the amended PIPA on September 15, 2023.
 
As explained in our May 22, 2023 newsletter (Link) titled “Proposed Amendment to the Enforcement Decree of the PIPA,” the amended Enforcement Decree mainly (i) develops the principle of consent to allow data subjects to freely choose whether to provide consent, (ii) removes the distinction between online and offline data, and integrates the relevant provisions, and (iii) strengthens security measures to prevent data breach incidents in the public sector. The key issues covered by the amended Enforcement Decree are the following:
 

Issue

Key Details

Requirements for Processing Personal Information

  • (How to obtain consent) Consent must satisfy the following conditions: (i) the data subject must be able to decide whether to give consent of his/her own free will, (ii) the details of what the data subject is consenting to must be specific and clear, (iii) the language of the text for consent must be easy to read and understand, and (iv) the data subject must be provided with a way to clearly express his/her consent.

Mobile Visual Data Processing Device

  • (Definition of mobile visual data processing devices) Mobile visual data processing devices are classified into: (i) devices that are worn on the human body and clothes, such as glasses and watches (“wearable devices”), (ii) devices that can be easily carried by people, such as mobile devices and digital cameras (“portable devices”), and (iii) devices that are attached to or hung from movable objects, such as vehicles and drones (“attached/hung devices”).
    ※ Regarding attached/hung devices, the criteria stating that such devices should be “fixed” and attached to movable objects has been removed from the draft amendments to the Enforcement Decree.

  • (How to notify filming) The relevant provision stipulates that when using mobile visual data processing devices, the fact that filming is taking place must be displayed and notified by means of lights, sounds, signboards, written statements, announcements or other similar means. If it is difficult to notify filming due to the nature of the filming method used (e.g., drone), a notice must be posted on a website operated by the PIPC.
    ※ The draft amendments stated that the alternative method to provide a notice would be set in a notification published by the PIPC but the final Enforcement Decree stipulates that a notice should be posted on a website which operated by the PIPC.

Restriction on Overseas Transfer of Personal Information

  • (Recognition of level of personal information protection) The amended Enforcement Decree provides for the matters and procedures to be considered by the PIPC when determining the level of personal information protection offered by certain countries and international organizations (assessment by the expert committee on overseas transfer and consultation with the policy council).

  • (Criteria for suspension order) In determining whether the PIPC should order a suspension of an overseas transfer, the PIPC must consider: (i) the type and size of personal information that has been transferred overseas or is expected to be transferred, (ii) the severity of the violation of the relevant regulations, (iii) whether the damage is serious or irreparable, (iv) whether there is a clear benefit to the data subject, (v) whether it is possible to protect and prevent the infringement of personal information through corrective measures, (vi) whether the recipient/country of destination has effective means of remedy for damages, and (vii) whether there are reasons to believe that it is difficult to properly protect personal information, such as material infringement of personal information at the recipient/country of destination.

Privacy Policy Evaluation System

  • (Subject of evaluation) The target of evaluation will be selected by considering: (i) the type and amount of revenue of the data controller, (ii) the type (e.g., sensitive information and unique identification information) and volume of personal information processed, (iii) the legal basis and method of processing personal information, (iv) whether any violation of law has occurred, and (v) the characteristics of data subjects (e.g., children and juveniles).

  • (Assessment procedures) The PIPC will provide an assessment plan to the data controller at least ten days before the assessment begins, and notify the data controller of the results of the assessment without delay.

Integration of Online and Offline Regulations   

  • (Notification of history of using and/or providing personal information) A data controller must notify data subjects of its history of using and/or providing their personal information at least once a year if: (i) the data controller processes sensitive information or the unique identification information of 50,000 or more data subjects on a daily average basis during the three months immediately preceding the end of the previous year, or (ii) the data controller processes the personal information of 1 million or more data subjects.

  • (Which data controllers must designate a domestic privacy agent) Data controllers that meet one of the following thresholds must designate a domestic privacy agent: (i) the data controller had total revenue of KRW 1 trillion or more in the previous fiscal year, (ii) the data controller stored and managed the personal information of 1 million or more domestic data subjects on a daily average basis during the three months immediately preceding the end of the previous year, or (iii) the PIPC has requested the data controller to submit certain materials and decided that the data controller needs to designate a domestic privacy agent.

  • (Notification and reporting of personal information leakages) In the event of a personal information leakage, a data controller must notify the affected data subjects within 72 hours of becoming aware of the leakage. The data controller must also report to the regulator within 72 hours if: (i) the personal information of 1,000 or more data subjects has been leaked, (ii) sensitive information or unique identification information has been leaked, or (iii) personal information has been leaked through unauthorized access from the outside. However, the data controller does not need to report to the regulator if it is able to take measures to significantly reduce the possibility that the rights and interests of the affected data subjects might be infringed, such as retrieving or deleting the compromised personal information.

Personal Information Dispute Mediation

  • (Notification of Intention not to Accept Mediation) Where a data controller refuses to participate in a dispute mediation based on statutory grounds, it must notify the Dispute Mediation Committee of its intention and reasons for non-participation within ten days of receiving the notice of dispute mediation.

  • (Prior notice of examination for dispute mediation) The Dispute Mediation Committee must give the data controller subject to mediation a seven-day written notice of its examination, including the purpose, period, place, scope and details of the examination.

Detailed Standards and Procedures for Imposing Administrative Penalties

  • (Criteria for determining revenue unrelated to violation) The following unrelated revenues may be excluded from the base revenue from which a penalty is calculated: (i) revenue from goods or services that are unrelated to personal information processing and (ii) revenue that the PIPC agrees to be not from goods or services directly or indirectly affected by the violation.
    ※ Compared to the draft amendments, for the exclusion criteria (i) above, the condition that the revenues be “clearly” unrelated has been removed. For the exclusion criteria (ii), the data controller’s obligation to submit evidence has been removed and it is for the PIPC to decide which revenues are not related to the violation based on the materials submitted.

  • (Exceptions to administrative penalty) Administrative penalty may be exempted if the violation is remedied and falls within certain criteria to be set by the PIPC.

  • (Consideration of seriousness of a violation when calculating base fine) Violations are categorized into four grades: (i) a very serious violation, (ii) a serious violation, (iii) a moderate violation, and (iv) a minor violation.

Detailed Standards and Procedures for Imposing Administrative Fines  

  • (Additional grounds for reduction or exemption of administrative fine) Additional grounds for reduction or exemption of an administrative fine include: (i) implementation of measures to compensate for damages and to prevent further harm, (ii) having made efforts to protect personal information, such as obtaining the relevant information protection certification and partaking in voluntary personal information protection activities, and (iii) voluntarily reporting the violation.

 

Several amended PIPA provisions, such as (i) the right to data portability, (ii) the right to object to automated decisions, and (iii) the assessment of the level of personal information protection offered by public institutions, have a different enforcement date, which will be announced gradually from October, 2023. Companies are therefore advised to keep monitoring the progress of further amendments to the Enforcement Decree.

 

[Korean Version]

Related Topics

#PIPA #PIPC #Personal Information Protection #Legal Update

List

Share

Close

Professionals

CLose

Professionals

CLose