INSIGHTS

•  

  COVID-19 Task Force  

   
  Newsletters VIEW MORE
• Newsletters

  [FAQ] Amended Personal Information Protection Act 1. What is the background behind amending the Personal Information Protection Act (the “PIPA”)? With the arrival of the Fourth Industrial Revolution, promoting new industries has become a nationwide project. Consequently, using emerging technologies such as artificial intelligence ("AI"), cloud computing, and Internet of things ("IoT") to collect and process data has become a necessity and so has the need to establish social standards for it. However, the current regulations have limitations (e.g., ambiguity in the definition of "personal information"), and the enforcement of data protection laws has been dispersed among multiple regulatory bodies, calling for a systematic overhaul of the laws. As a result, the PIPA has been amended to strengthen its purpose of protecting personal information, while enhancing the competence of the data protection regime as it applies to the related industries. 2. What are the key aspects of the amendments to the PIPA? (1) Clarify the conceptual framework of personal information by clearly establishing the definition of pseudonymized and anonymized information; (2) Centralize the regulatory and enforcement authority at the Personal Information Protection Commission (the “PIPC”) and transfer the data protection functions of the Ministry of Interior and Safety (the “MOIS”) and the Korea Communications Commission (the “KCC”) to the PIPC; and (3) Move the provisions under the Act on the Promotion of Information Network and Information Protection (the “Network Act”) concerning personal information protection to the PIPA. 3. When do the amendments come into force and when will the amendments to the subordinate regulations (e.g. the enforcement decree) be enacted? The amendments to the PIPA will come into force on August 5, 2020. Regulatory bodies currently in charge of data protection and privacy laws (the MOIS, the KCC and the Financial Services Commission) announced on January 21, 2020 that they will prepare (i) the Enforcement Decree for the amended laws by February 2020, (ii) amended administrative rules by March 2020, and (iii) revised sectoral guidelines and the commentary guidelines. However, there has been some delay in announcing the Enforcement Decree amendment. 4. What are pseudonymized information and anonymized information? Pseudonymized information is a type of personal information, which has been processed such that the information can no longer identify an individual without using or combining it with additional information to restore it to its original state (Article 2 (1) (c) of the amended PIPA). Pseudonymization refers to processing personal information by means of partial deletion or partial or total substitution such that the information becomes unidentifiable without using additional information (Article 2 (1-2) of the amended PIPA). Anonymized information is information that cannot identify an individual even when it is combined with other information, in reasonable consideration of the required time, cost, and technology for such combination. The PIPA does not apply to anonymized information (Article 58-2 of the amended PIPA). 5. How can one utilize pseudonymized information? Data controllers can process pseudonymized information without the data subject’s consent for purposes, such as statistics preparation, scientific research, preservation of public records, etc. (Article 28-2 (1) of the amended PIPA). 6. Do regulations on personal information protection apply to pseudonymized information? Article 28-7 of the amended PIPA lists provisions that do not apply to pseudonymized information: Disclosure of information, such as the source of personal information collected from sources other than the data subject (Article 20 of the amended PIPA) Destruction of personal information (Article 21 of the amended PIPA) Restrictions on transfer of personal information due to business transfer or similar (Article 27 of the amended PIPA) Notification of personal information leakage to the affected data subjects (Article 34 (1) of the amended PIPA) Data subject’s rights: access, revision/deletion, suspension of processing (Articles 35 through 37 of the amended PIPA) Special provisions that apply to online service providers (Articles 39-3, 39-4, 39-6, 39-7 and 39-8 of the amended PIPA) The following are some of the articles which are not included in the list of provisions that have been explicitly excluded from application under Article 28-7 of the amended PIPA: Requirements for delegation of personal information processing (Article 26 of the amended PIPA) Establishment and disclosure of privacy policy (Article 30 of the amended PIPA) Reporting of personal information leakage to the regulatory authority (Article 34 (3) of the amended PIPA) Protection of personal information transferred overseas under the special provision that applies to online service providers (Article 39-12 of the amended PIPA) 7. What should be considered when processing pseudonymized information? When providing pseudonymized information to a third party, it cannot be accompanied by any other information that can be used to identify an individual (Article 28-2, Paragraph 2 of the amended PIPA). Furthermore, no one may process pseudonymized information for the purpose of identifying an individual (Article 28-5 (1) of the PIPA). If information that can be used to identify an individual has been created in the course of processing pseudonymized information, the processing of such information must be suspended immediately, and the information must be retrieved and destroyed without delay (Article 28-5 (2) of the PIPA). Additionally, implementing technical, managerial, and physical protective measures (such as separated storage and management) to the additional information which can be used to restore the information to its original state is necessary to prevent loss, theft, leakage, falsification, alteration or damage of the information (Article 28-4 (1) of the amended PIPA). Combining pseudonymized information in possession of different data controllers must be undertaken by a specialized agency designated by the PIPC or the relevant central administrative agency (Article 28-3 (1) of the amended PIPA). 8. May personal information be used/provided for purposes other than the original purpose of collection without the data subject’s consent? A data controller may be permitted to use or provide personal information without the data subject’s consent, if such use or provision is within the scope which is reasonably related to the original purpose of collection, as long as the conditions prescribed in the Enforcement Decree of the amended PIPA (e.g., whether there is any disadvantage to the data subject, whether necessary security measures, such as encryption, have been taken) are met (Article 15 (3) and Article 17 (4) of the amended PIPA). 9. Which regulations on personal information protection apply to online service users? As the provisions on personal information protection under Chapter 4 of the Network Act have been transferred to Chapter 6 (“Special provision regarding processing of personal information by online service providers”) of the amended PIPA, the amended PIPA will also regulate the protection of online service users’ personal information. Since the provisions that were previously in the Network Act have been either deleted or modified (e.g., provision relating to the delegation of processing personal information under the Network Act has been deleted; provision that allowed overseas storage and delegation of personal information processing without the user’s consent only “if necessary for fulfilling the contract for providing online service and for enhancing the user’s convenience” has been deleted), it is important to accurately understand the amended provisions. 10. What sanctions can be imposed for violating the amended PIPA? A person who violates the amended PIPA will be subject to the following sanctions: Providing pseudonymized information to a third party accompanied by information that can be used to identify a specific individual: imprisonment for up to five years or criminal fine of up to KRW 50 million Processing pseudonymized information for the purpose of identifying an individual: (i) imprisonment for up to five years or criminal fine of up to KRW 50 million; (ii) administrative fine of up to 3% of the total sales revenue Processing pseudonymized information or providing pseudonymized information to a third party in a way that violates the regulations on combination of pseudonymized information, or receiving pseudonymized information for the purpose of profit or fraud, while knowing that the provided information violates the regulation regarding combination of pseudonymized information: imprisonment for up to five years or criminal fine of up to KRW 50 million Failure to implement proper security measures when processing pseudonymized information that leads to loss, theft, leakage, falsification, alteration or damage of the information: imprisonment for up to two years or criminal fine of up to KRW 20 million Failure to immediately suspend the processing of pseudonymized information or retrieve and destroy the pseudonymized information without delay when information that can be used to identify an individual has been produced through pseudonymization: administrative fine of up to KRW 30 million Failure to prepare and store records of processing pseudonymized information: administrative fine of up to KRW 10 million

  2020.03.31
  Newsletters 더 보기
• Newsletters

  Kim & Chang Legal Newsletter (2020 Issue 2) This issue includes: Korea Fair Trade Commission's Enforcement Plan for 2020 Launch of Bank's Ancillary Business for Big Data and Measures to Support Distribution of Big Data Asia Region Funds Passport Is Implemented in Korea in Accordance with the Amended Financial Investment Services and Capital Markets Act National Assembly Passes Amendments to the Monopoly Regulation and Fair Trade Law Amendment to the Korea Development Bank Act and Its Enforcement Decree to Establish the Key Industry Stabilization Fund Amended Guidelines on Corporate Governance Report and Recent Trends of ESG Reporting Recent Amendment to the Act on the Allocation and Trading of Greenhouse-Gas Emission Permits Amendments to the Subordinate Statutes of the Waste Control Act Coinsurance Is Introduced, Along with Eased Restrictions on Insurers' Management of Foreign Currency Assets Supreme Court Establishes Criteria for Application of the "Catch-All" Unfair Competition Provision Virtual Hearing in International Arbitration US Department of Commerce Enforces Countervailing Duty Regulations Against Countries with Undervalued Currencies Adoption of Customs Act Regulations on Overseas Direct Purchases Strengthens Responsibility of Purchasing Agents and Open Market Operators Amended Labor Standards Act Limits Use of Annual Paid Leave for Employees with Less Than One Year of Continuous Employment Supreme Court Finds That More Favorable Terms and Conditions of an Existing Employment Agreement Take Precedence over Amended Rules of Employment New Amendments to Capital Markets Act’s Enforcement Decree Heighten Standards for Replacement of Asset Management Company and Trustee/Custodian Implementation of Policy Reinforcing Duties of Internet Service Providers to Eradicate Digital Sex Crimes Update on Key Legislative and Policy Developments on Self-Driving Vehicles Kim & Chang Legal Newsletter (2020 Issue 2)

  2020.07.03
  Newsletters 더 보기
• Newsletters

  KFTC Announces Proposed FTL Amendment Bill On June 10, 2020, the Korea Fair Trade Commission (the "KFTC") announced an amendment bill to comprehensively overhaul the Monopoly Regulation and Fair Trade Law (the "FTL") (the "Proposed Amendment"). If eventually passed by the National Assembly, the Proposed Amendment will have significant ramifications on antitrust investigations and enforcement, particularly from the perspective of (i) strengthening enforcement (e.g., allowing the prosecutors' office to initiate investigations without a criminal referral from the KFTC, doubling the maximum amount of administrative fines, introducing a "size of transaction" test for merger filings), (ii) bolstering due process (e.g., guaranteeing the right to counsel in KFTC investigations), and (iii) clarifying/simplifying legal requirements (e.g., including information exchange as a type of illegal collusive conduct, clarifying the definition of resale price maintenance). The Proposed Amendment is substantively identical to the amendment bill that had been proposed in 2018 (the "2018 Amendment Bill"), except that part of the 2018 Amendment Bill was passed as law in April 2020. The April 2020 FTL amendments related to enforcement procedure, such as: obligating the KFTC to issue official notices for dawn raids; guaranteeing the respondent's right to provide written and oral testimony at all stages of an investigation; expanding the right for respondents and others to request access to the KFTC case materials; and changing the statute of limitations for FTL violations, other than cartels. During the mandatory opinion canvassing period from June 11 to July 21, 2020, the KFTC will receive opinions from interested parties, submit the Proposed Amendment bill to other government bodies for further review, and then submit the final draft of the Proposed Amendment bill to the National Assembly. Overview and Expected Implications The KFTC has grouped the proposed amendments into the following four categories. 1. Enforcement Procedure Reform In terms of improving enforcement procedures, the Proposed Amendments institute measures, such as removing the exclusive criminal referral powers of the KFTC to allow prosecutors to bring indictments in hardcore cartel cases without the KFTC's criminal referral; increasing certain administrative fines (doubling the maximum percentage of revenues); and guaranteeing private citizens the right of action to enjoin certain FTL violations without going through the KFTC investigation process. If passed, we expect these will lead to closer collaboration between the KFTC and prosecutors from the earliest cartel investigation stages, which would be a significant departure from previous practice, where the prosecutors would normally become involved largely after the KFTC enforcement is complete. We also expect the KFTC to take advantage of the higher administrative fine amounts; for example, the maximum percentage of relevant revenues would increase from 10% to 20% for cartels. Further, we expect more private causes of action, even in the absence of a related KFTC investigation. 2. Due Process The Proposed Amendments continue in the KFTC's continued efforts to improve due process, such as by explicitly guaranteeing the right to counsel in all KFTC investigations and proceedings and by obligating the KFTC to prepare official written statements when obtaining testimony from individuals under investigation. 3. Encouragement of Innovation and Growth The KFTC has grouped a number of its proposed amendments under this heading to highlight the Proposed Amendment's efforts to relax certain regulations (e.g., relaxing the requirements to establish and operate venture capital holding companies) and to clarify certain statutory definitions and legal grounds (e.g., clarifying the basis for market surveys, clarifying the definition of resale price maintenance). However, this category also includes potentially significant amendments that could materially affect a company's business. For example, certain types of information exchange are included in the definition of illegal collusive conduct. In addition, a "size of transaction" test is introduced for merger filings, even if the parties to a merger fail to meet the existing worldwide assets/sales revenues and Korean sales revenues thresholds. 4. Conglomerate Regulation The Proposed Amendments introduce a host of measures to strengthen regulatory oversight over the conglomerates in Korea, largely to lessen the concentration of economic power of leading conglomerates and modernize their corporate governance structure. For more details, please see the attached file. [Korean version]

  2020.06.15
  Newsletters 더 보기
• Newsletters

  Recent Government Updates Relating to Artificial Intelligence – Data Distribution and Commercialization One of the most critical elements in developing and vitalizing AI-based services and products is securing expansive AI learning database. Below is our update on the recent developments to build the legal framework and institutions to establish the infrastructure to promote distribution of data that may be used for AI learning in various industries including the financial sector. 1. MOTIE to Enact the Special Act on Promotion of Innovative Growth for Industries Based on Digitalization On May 6, 2020, the Ministry of Trade, Industry and Energy (the "MOTIE") held a kick-off meeting for the task force to enact the "(draft) Special Act on Promotion of Innovative Growth for Industries based on Digitalization" (the "Act on Promotion of Digital Growth"). The meeting was held as a part of the government's “Policy for Smarter Industries,” which aims to apply cutting-edge digital technologies to industries such as manufacturing, energy and distribution. About 20 experts from the manufacturing, AI, big data and 5G industries as well as academia, research and legal sectors joined the meeting and discussed, among other topics, issues relating to the proprietary rights, transactions and business opportunities involving industrial data, ways to promote the use of industrial data and AI, and plans for the task force to enact the "Act on Promotion of Digital Growth." The MOTIE, through its press release, announced that in recognition of the growing importance of industrial data worldwide, the government will work to establish the Act on Promotion of Digital Growth as a means to further advance policies, laws, systems and necessary infrastructure related to collecting and utilizing industrial data in Korea that fall behind other countries, and thereby seek to expedite the digitization of industries based on industrial data and AI. Starting from the recent kick-off meeting, the MOTIE plans to establish three divisions, each dedicated to general management, system and support for the task force, respectively, and to conduct research on similar legislations at home and abroad, analyze related studies and collect opinions of experts from industries, academia and legal circles so that the Act on Promotion of Digital Growth can be enacted and approved by the National Assembly by the end of this year. 2. FSC Launches Financial Data Exchange to Promote Data Economy On May 11, 2020, the Financial Security Institute (the “FSI”) launched the "Data Exchange," i.e., a major financial platform in the big data industry. According to the press release of the Financial Services Commission (the “FSC”), the Data Exchange is currently in trial period and is set to function as a transaction platform to exchange non-identifiable data and business information between suppliers and buyers. According to the FSC’s operation plan, the Data Exchange will expand its function as a one-stop service platform to facilitate the transaction of financial data and non-financial data of various industrial sectors among financial institutions and other companies. In addition to the launch of the Data Exchange, the FSC will publish data distribution guidelines to establish regulations on data distribution, provide data transaction vouchers to promote data transactions in the early stages, authorize financial companies to include big data as their ancillary service, and run a council for financial data. The efforts of the MOTIE and the FSI to establish the infrastructure to utilize industrial and financial data will lay the foundation for an ecosystem to distribute AI learning data in the relevant industries, thereby promoting growth of AI industries. [Korean version]

  2020.06.04
  Newsletters 더 보기