INSIGHTS

•  

  COVID-19 Task Force  

   
  Newsletters VIEW MORE
• Newsletters

  [FAQ] Amended Personal Information Protection Act 1. What is the background behind amending the Personal Information Protection Act (the “PIPA”)? With the arrival of the Fourth Industrial Revolution, promoting new industries has become a nationwide project. Consequently, using emerging technologies such as artificial intelligence ("AI"), cloud computing, and Internet of things ("IoT") to collect and process data has become a necessity and so has the need to establish social standards for it. However, the current regulations have limitations (e.g., ambiguity in the definition of "personal information"), and the enforcement of data protection laws has been dispersed among multiple regulatory bodies, calling for a systematic overhaul of the laws. As a result, the PIPA has been amended to strengthen its purpose of protecting personal information, while enhancing the competence of the data protection regime as it applies to the related industries. 2. What are the key aspects of the amendments to the PIPA? (1) Clarify the conceptual framework of personal information by clearly establishing the definition of pseudonymized and anonymized information; (2) Centralize the regulatory and enforcement authority at the Personal Information Protection Commission (the “PIPC”) and transfer the data protection functions of the Ministry of Interior and Safety (the “MOIS”) and the Korea Communications Commission (the “KCC”) to the PIPC; and (3) Move the provisions under the Act on the Promotion of Information Network and Information Protection (the “Network Act”) concerning personal information protection to the PIPA. 3. When do the amendments come into force and when will the amendments to the subordinate regulations (e.g. the enforcement decree) be enacted? The amendments to the PIPA will come into force on August 5, 2020. Regulatory bodies currently in charge of data protection and privacy laws (the MOIS, the KCC and the Financial Services Commission) announced on January 21, 2020 that they will prepare (i) the Enforcement Decree for the amended laws by February 2020, (ii) amended administrative rules by March 2020, and (iii) revised sectoral guidelines and the commentary guidelines. However, there has been some delay in announcing the Enforcement Decree amendment. 4. What are pseudonymized information and anonymized information? Pseudonymized information is a type of personal information, which has been processed such that the information can no longer identify an individual without using or combining it with additional information to restore it to its original state (Article 2 (1) (c) of the amended PIPA). Pseudonymization refers to processing personal information by means of partial deletion or partial or total substitution such that the information becomes unidentifiable without using additional information (Article 2 (1-2) of the amended PIPA). Anonymized information is information that cannot identify an individual even when it is combined with other information, in reasonable consideration of the required time, cost, and technology for such combination. The PIPA does not apply to anonymized information (Article 58-2 of the amended PIPA). 5. How can one utilize pseudonymized information? Data controllers can process pseudonymized information without the data subject’s consent for purposes, such as statistics preparation, scientific research, preservation of public records, etc. (Article 28-2 (1) of the amended PIPA). 6. Do regulations on personal information protection apply to pseudonymized information? Article 28-7 of the amended PIPA lists provisions that do not apply to pseudonymized information: Disclosure of information, such as the source of personal information collected from sources other than the data subject (Article 20 of the amended PIPA) Destruction of personal information (Article 21 of the amended PIPA) Restrictions on transfer of personal information due to business transfer or similar (Article 27 of the amended PIPA) Notification of personal information leakage to the affected data subjects (Article 34 (1) of the amended PIPA) Data subject’s rights: access, revision/deletion, suspension of processing (Articles 35 through 37 of the amended PIPA) Special provisions that apply to online service providers (Articles 39-3, 39-4, 39-6, 39-7 and 39-8 of the amended PIPA) The following are some of the articles which are not included in the list of provisions that have been explicitly excluded from application under Article 28-7 of the amended PIPA: Requirements for delegation of personal information processing (Article 26 of the amended PIPA) Establishment and disclosure of privacy policy (Article 30 of the amended PIPA) Reporting of personal information leakage to the regulatory authority (Article 34 (3) of the amended PIPA) Protection of personal information transferred overseas under the special provision that applies to online service providers (Article 39-12 of the amended PIPA) 7. What should be considered when processing pseudonymized information? When providing pseudonymized information to a third party, it cannot be accompanied by any other information that can be used to identify an individual (Article 28-2, Paragraph 2 of the amended PIPA). Furthermore, no one may process pseudonymized information for the purpose of identifying an individual (Article 28-5 (1) of the PIPA). If information that can be used to identify an individual has been created in the course of processing pseudonymized information, the processing of such information must be suspended immediately, and the information must be retrieved and destroyed without delay (Article 28-5 (2) of the PIPA). Additionally, implementing technical, managerial, and physical protective measures (such as separated storage and management) to the additional information which can be used to restore the information to its original state is necessary to prevent loss, theft, leakage, falsification, alteration or damage of the information (Article 28-4 (1) of the amended PIPA). Combining pseudonymized information in possession of different data controllers must be undertaken by a specialized agency designated by the PIPC or the relevant central administrative agency (Article 28-3 (1) of the amended PIPA). 8. May personal information be used/provided for purposes other than the original purpose of collection without the data subject’s consent? A data controller may be permitted to use or provide personal information without the data subject’s consent, if such use or provision is within the scope which is reasonably related to the original purpose of collection, as long as the conditions prescribed in the Enforcement Decree of the amended PIPA (e.g., whether there is any disadvantage to the data subject, whether necessary security measures, such as encryption, have been taken) are met (Article 15 (3) and Article 17 (4) of the amended PIPA). 9. Which regulations on personal information protection apply to online service users? As the provisions on personal information protection under Chapter 4 of the Network Act have been transferred to Chapter 6 (“Special provision regarding processing of personal information by online service providers”) of the amended PIPA, the amended PIPA will also regulate the protection of online service users’ personal information. Since the provisions that were previously in the Network Act have been either deleted or modified (e.g., provision relating to the delegation of processing personal information under the Network Act has been deleted; provision that allowed overseas storage and delegation of personal information processing without the user’s consent only “if necessary for fulfilling the contract for providing online service and for enhancing the user’s convenience” has been deleted), it is important to accurately understand the amended provisions. 10. What sanctions can be imposed for violating the amended PIPA? A person who violates the amended PIPA will be subject to the following sanctions: Providing pseudonymized information to a third party accompanied by information that can be used to identify a specific individual: imprisonment for up to five years or criminal fine of up to KRW 50 million Processing pseudonymized information for the purpose of identifying an individual: (i) imprisonment for up to five years or criminal fine of up to KRW 50 million; (ii) administrative fine of up to 3% of the total sales revenue Processing pseudonymized information or providing pseudonymized information to a third party in a way that violates the regulations on combination of pseudonymized information, or receiving pseudonymized information for the purpose of profit or fraud, while knowing that the provided information violates the regulation regarding combination of pseudonymized information: imprisonment for up to five years or criminal fine of up to KRW 50 million Failure to implement proper security measures when processing pseudonymized information that leads to loss, theft, leakage, falsification, alteration or damage of the information: imprisonment for up to two years or criminal fine of up to KRW 20 million Failure to immediately suspend the processing of pseudonymized information or retrieve and destroy the pseudonymized information without delay when information that can be used to identify an individual has been produced through pseudonymization: administrative fine of up to KRW 30 million Failure to prepare and store records of processing pseudonymized information: administrative fine of up to KRW 10 million

  2020.03.31
  Newsletters 더 보기
• Newsletters

  Further Amendments to the Enforcement Decree of the Personal Information Protection Act Announced The draft amendments to the Enforcement Decree of the Personal Information Protection Act were first announced on March 31, 2020 and revised based on the opinion gathered from the interested parties on June 8, 2020 (the "First Amendments"). The Ministry of the Interior and Safety announced on July 14, 2020 the draft amendments which have been further revised following a review by the Regulatory Reform Committee and the Ministry of Government Legislation (the "Second Amendments"). Please refer to the attached summary for the key revisions in the Second Amendments. Although it is likely that there will be no further revision, there are a couple of remaining legislative steps remaining, such as deliberation and resolution at the Cabinet Meeting. [Korean version]

  2020.07.17
  Newsletters 더 보기
• Newsletters

  KFTC Enacts Review Guidelines for Unfair Trade Practices in Supplier-Distributor Transactions On June 30, 2020, the Korea Fair Trade Commission (the "KFTC") enacted a set of Review Guidelines for Unfair Trade Practices in Supplier-Distributor Transactions (the "Guidelines"). We summarize below key details of the Guidelines, and recommend companies with third-party distributor networks in Korea to prepare for potential exposure to risk by assessing and addressing their current compliance status based on the Guidelines. [Key Details of the Guidelines] 1. Scope of Application The Guidelines clarify that the Fairness in Distributor Transactions Act (the "FDTA") applies not only when the distributor is a reseller or sells the supplier’s products/services on consignment, but also when the distributor sells the supplier's goods/services as agents or brokers. 2. Review Standards Superior Bargaining Position of Supplier In determining whether the supplier has a superior bargaining position, various factors should be considered in totality, including (i) product market and distribution market structure, (ii) difference in business capabilities between supplier and distributor, (iii) distributor's dependence on transactions with the supplier, (iv) characteristics of the transacted goods/services, and (v) other factors that make distributors subordinate to the supplier. Unfairness of a Transaction In determining whether a trade practice is unfair, the focus should be on whether the transaction itself was unfair, rather than the competition restricting effects or unfairness in the means of competition. In assessing whether a transaction is unfair, various factors should be considered in totality, including purpose of the conduct, distributor's intent, foreseeability, degree of economic disadvantage imposed on the distributor or the difficulty posed in carrying out business activities, customary trade practice, and relevant laws and regulations. However, in determining unfairness under Article 12 of the FDTA (prohibition of retaliatory conduct), the focus should be on the causal relationship between the distributors' action (e.g., filing a complaint with the KFTC, cooperating with the KFTC's investigation) and the supplier's retaliatory conduct, without considering whether the transaction itself is unfair. 3. Examples of FDTA Violations by Type of Conduct Forced Purchases (Article 6 of FDTA) Creating a situation where the distributor has no choice but to order products by continuously urging the distributor to purchase products, and imposing disadvantages if the distributor refuses to make the purchase Allocating carryover products so that each distributor has to purchase a certain amount, and unilaterally deciding the type and quantity of products to be supplied to each distributor When the distributor places an order for new or popular products, bundling such products with carryover or unpopular products the distributor does not want to purchase Forced Economic Benefits (Article 7 of FDTA) Planning a sales promotion event without prior discussion with the distributor, and unilaterally imposing the promotion costs onto the distributor Relocating products from one distributor to another for the supplier's own needs, and imposing the transportation costs onto the distributors without reasonable cause Forced Sales Targets (Article 8 of FDTA) When the distributor fails to meet the sales target, significantly reducing or delaying the supply of goods/services ordered by that distributor When the distributor fails to meet the sales target, supplying products or services at a higher price than other distributors, or applying disadvantageous discount rates without reasonable justification Imposition of Disadvantages (Article 9 of FDTA) During the term of agreement, unilaterally changing the criteria for sales commission or consignment fees to the distributor's disadvantage During the term of agreement, despite there being no change in the credit rating, etc., of the distributor, unilaterally demanding that the distributor provide additional collateral for credit purchases, or significantly raising the collateral amount Interference with Business Activities (Article 10 of FDTA) Interfering in the distributor's hiring of sales representatives, or restricting the total number of sales representatives Demanding that the distributor provide information such as a list of its customers, product sales prices, or history of financial transactions (however, for consignment sales, excluding when there is reasonable justification such as for settlement of sales commissions) Forcing the distributor to replace facilities or equipment or to carry out interior renovation work, even though there is no objective reason to believe the said facility/equipment/interior design has deteriorated or has defects in terms of safety and hygiene that significantly impedes the normal operation of business Refusal or Evading to Confirm Order History (Article 11 of FDTA) Unilaterally changing the distributor's order and later changing the order system so that the distributor may not look up its order history or order amounts Retaliation (Article 12 of FDTA) Refusing to renew or terminating the agreement with a distributor for reporting the supplier to the KFTC for violating the FDTA despite there being an automatic renewal clause in the distribution agreement [Korean version]

  2020.07.15
  Newsletters 더 보기
• Newsletters

  Kim & Chang Legal Newsletter (2020 Issue 2) This issue includes: Korea Fair Trade Commission's Enforcement Plan for 2020 Launch of Bank's Ancillary Business for Big Data and Measures to Support Distribution of Big Data Asia Region Funds Passport Is Implemented in Korea in Accordance with the Amended Financial Investment Services and Capital Markets Act National Assembly Passes Amendments to the Monopoly Regulation and Fair Trade Law Amendment to the Korea Development Bank Act and Its Enforcement Decree to Establish the Key Industry Stabilization Fund Amended Guidelines on Corporate Governance Report and Recent Trends of ESG Reporting Recent Amendment to the Act on the Allocation and Trading of Greenhouse-Gas Emission Permits Amendments to the Subordinate Statutes of the Waste Control Act Coinsurance Is Introduced, Along with Eased Restrictions on Insurers' Management of Foreign Currency Assets Supreme Court Establishes Criteria for Application of the "Catch-All" Unfair Competition Provision Virtual Hearing in International Arbitration US Department of Commerce Enforces Countervailing Duty Regulations Against Countries with Undervalued Currencies Adoption of Customs Act Regulations on Overseas Direct Purchases Strengthens Responsibility of Purchasing Agents and Open Market Operators Amended Labor Standards Act Limits Use of Annual Paid Leave for Employees with Less Than One Year of Continuous Employment Supreme Court Finds That More Favorable Terms and Conditions of an Existing Employment Agreement Take Precedence over Amended Rules of Employment New Amendments to Capital Markets Act’s Enforcement Decree Heighten Standards for Replacement of Asset Management Company and Trustee/Custodian Implementation of Policy Reinforcing Duties of Internet Service Providers to Eradicate Digital Sex Crimes Update on Key Legislative and Policy Developments on Self-Driving Vehicles Kim & Chang Legal Newsletter (2020 Issue 2)

  2020.07.03
  Newsletters 더 보기