On April 4, 2024, the Personal Information Protection Commission (“PIPC”) published its Guidelines on the Application of the Personal information Protection Act (“PIPA”) to Foreign Businesses (the “Guidelines”). The Guidelines clarify the principles and standards for extraterritorial application.
1. |
PIPC Will Apply PIPA to Foreign Businesses |
2. |
PIPC Will Apply PIPA to Foreign Businesses in the Following Circumstances |
-
Providing goods or services to Korean data subjects
– |
According to the Guidelines, the PIPA applies where a foreign business provides goods or services to Korean data subjects. Whether a foreign business provides goods or services is determined based on factors such as the language, currency, form and method in which such goods or services are provided. |
– |
For example, if a foreign business (i) uses a Korean URL (e.g., “.kr” or “/ko-kr”) in operating a website, (ii) launches services targeting Korea in an app market, or (iii) provides services in the Korean language only, then the PIPC may consider that it provides goods or services to Korean data subjects. |
-
Having an impact on Korean data subjects
– |
According to the Guidelines, even if a foreign business does not provide goods or services to Korean data subjects, the PIPA should apply if the foreign business intentionally processes the personal information of, or has a direct and significant impact on, Korean data subjects. |
– |
The PIPC further takes the position that the PIPA applies where a foreign business (i) processes Korean data subjects’ personal information in a delegation relationship with a Korean entity, or (ii) receives Korean data subjects’ personal information from a Korean business and processes such information for its own business purposes. |
-
Having a place of business in Korea
– |
The PIPA also applies to a foreign business if it provides goods or services and has a place of business in Korea where it processes personal information. |
3. |
Foreign Businesses Subject to PIPA Must Comply With All PIPA Requirements |
-
The Guidelines reiterate the various requirements that foreign businesses subject to the PIPA must comply with, including:
– |
Giving notice of and reporting data breaches |
– |
Preparing and disclosing a privacy policy |
– |
Guaranteeing the rights of data subjects |
– |
Protecting personal information of children under the age of 14 |
– |
Restricting overseas transfers of personal information |
– |
Covering liability for damages |
– |
Dispute mediation regarding personal information |
– |
Delegation of personal information processing |
– |
Designating a local privacy agent |
– |
Investigation of legal violations, corrective measures and sanctions such as administrative penalties by the regulator |
As the Guidelines show that the PIPC intends to enforce the PIPA in connection with foreign businesses, foreign businesses with any connection with Korea are advised to review the Guidelines and monitor the PIPC’s enforcement trends. Currently, the Guidelines are only available in Korean (Link), but the PIPC has announced that it intends to publish an English version of the Guidelines later this month.