INSIGHTS

•  

  COVID-19 Task Force  

   
  Newsletters VIEW MORE
• Newsletters

  [FAQ] Amended Personal Information Protection Act 1. What is the background behind amending the Personal Information Protection Act (the “PIPA”)? With the arrival of the Fourth Industrial Revolution, promoting new industries has become a nationwide project. Consequently, using emerging technologies such as artificial intelligence ("AI"), cloud computing, and Internet of things ("IoT") to collect and process data has become a necessity and so has the need to establish social standards for it. However, the current regulations have limitations (e.g., ambiguity in the definition of "personal information"), and the enforcement of data protection laws has been dispersed among multiple regulatory bodies, calling for a systematic overhaul of the laws. As a result, the PIPA has been amended to strengthen its purpose of protecting personal information, while enhancing the competence of the data protection regime as it applies to the related industries. 2. What are the key aspects of the amendments to the PIPA? (1) Clarify the conceptual framework of personal information by clearly establishing the definition of pseudonymized and anonymized information; (2) Centralize the regulatory and enforcement authority at the Personal Information Protection Commission (the “PIPC”) and transfer the data protection functions of the Ministry of Interior and Safety (the “MOIS”) and the Korea Communications Commission (the “KCC”) to the PIPC; and (3) Move the provisions under the Act on the Promotion of Information Network and Information Protection (the “Network Act”) concerning personal information protection to the PIPA. 3. When do the amendments come into force and when will the amendments to the subordinate regulations (e.g. the enforcement decree) be enacted? The amendments to the PIPA will come into force on August 5, 2020. Regulatory bodies currently in charge of data protection and privacy laws (the MOIS, the KCC and the Financial Services Commission) announced on January 21, 2020 that they will prepare (i) the Enforcement Decree for the amended laws by February 2020, (ii) amended administrative rules by March 2020, and (iii) revised sectoral guidelines and the commentary guidelines. However, there has been some delay in announcing the Enforcement Decree amendment. 4. What are pseudonymized information and anonymized information? Pseudonymized information is a type of personal information, which has been processed such that the information can no longer identify an individual without using or combining it with additional information to restore it to its original state (Article 2 (1) (c) of the amended PIPA). Pseudonymization refers to processing personal information by means of partial deletion or partial or total substitution such that the information becomes unidentifiable without using additional information (Article 2 (1-2) of the amended PIPA). Anonymized information is information that cannot identify an individual even when it is combined with other information, in reasonable consideration of the required time, cost, and technology for such combination. The PIPA does not apply to anonymized information (Article 58-2 of the amended PIPA). 5. How can one utilize pseudonymized information? Data controllers can process pseudonymized information without the data subject’s consent for purposes, such as statistics preparation, scientific research, preservation of public records, etc. (Article 28-2 (1) of the amended PIPA). 6. Do regulations on personal information protection apply to pseudonymized information? Article 28-7 of the amended PIPA lists provisions that do not apply to pseudonymized information: Disclosure of information, such as the source of personal information collected from sources other than the data subject (Article 20 of the amended PIPA) Destruction of personal information (Article 21 of the amended PIPA) Restrictions on transfer of personal information due to business transfer or similar (Article 27 of the amended PIPA) Notification of personal information leakage to the affected data subjects (Article 34 (1) of the amended PIPA) Data subject’s rights: access, revision/deletion, suspension of processing (Articles 35 through 37 of the amended PIPA) Special provisions that apply to online service providers (Articles 39-3, 39-4, 39-6, 39-7 and 39-8 of the amended PIPA) The following are some of the articles which are not included in the list of provisions that have been explicitly excluded from application under Article 28-7 of the amended PIPA: Requirements for delegation of personal information processing (Article 26 of the amended PIPA) Establishment and disclosure of privacy policy (Article 30 of the amended PIPA) Reporting of personal information leakage to the regulatory authority (Article 34 (3) of the amended PIPA) Protection of personal information transferred overseas under the special provision that applies to online service providers (Article 39-12 of the amended PIPA) 7. What should be considered when processing pseudonymized information? When providing pseudonymized information to a third party, it cannot be accompanied by any other information that can be used to identify an individual (Article 28-2, Paragraph 2 of the amended PIPA). Furthermore, no one may process pseudonymized information for the purpose of identifying an individual (Article 28-5 (1) of the PIPA). If information that can be used to identify an individual has been created in the course of processing pseudonymized information, the processing of such information must be suspended immediately, and the information must be retrieved and destroyed without delay (Article 28-5 (2) of the PIPA). Additionally, implementing technical, managerial, and physical protective measures (such as separated storage and management) to the additional information which can be used to restore the information to its original state is necessary to prevent loss, theft, leakage, falsification, alteration or damage of the information (Article 28-4 (1) of the amended PIPA). Combining pseudonymized information in possession of different data controllers must be undertaken by a specialized agency designated by the PIPC or the relevant central administrative agency (Article 28-3 (1) of the amended PIPA). 8. May personal information be used/provided for purposes other than the original purpose of collection without the data subject’s consent? A data controller may be permitted to use or provide personal information without the data subject’s consent, if such use or provision is within the scope which is reasonably related to the original purpose of collection, as long as the conditions prescribed in the Enforcement Decree of the amended PIPA (e.g., whether there is any disadvantage to the data subject, whether necessary security measures, such as encryption, have been taken) are met (Article 15 (3) and Article 17 (4) of the amended PIPA). 9. Which regulations on personal information protection apply to online service users? As the provisions on personal information protection under Chapter 4 of the Network Act have been transferred to Chapter 6 (“Special provision regarding processing of personal information by online service providers”) of the amended PIPA, the amended PIPA will also regulate the protection of online service users’ personal information. Since the provisions that were previously in the Network Act have been either deleted or modified (e.g., provision relating to the delegation of processing personal information under the Network Act has been deleted; provision that allowed overseas storage and delegation of personal information processing without the user’s consent only “if necessary for fulfilling the contract for providing online service and for enhancing the user’s convenience” has been deleted), it is important to accurately understand the amended provisions. 10. What sanctions can be imposed for violating the amended PIPA? A person who violates the amended PIPA will be subject to the following sanctions: Providing pseudonymized information to a third party accompanied by information that can be used to identify a specific individual: imprisonment for up to five years or criminal fine of up to KRW 50 million Processing pseudonymized information for the purpose of identifying an individual: (i) imprisonment for up to five years or criminal fine of up to KRW 50 million; (ii) administrative fine of up to 3% of the total sales revenue Processing pseudonymized information or providing pseudonymized information to a third party in a way that violates the regulations on combination of pseudonymized information, or receiving pseudonymized information for the purpose of profit or fraud, while knowing that the provided information violates the regulation regarding combination of pseudonymized information: imprisonment for up to five years or criminal fine of up to KRW 50 million Failure to implement proper security measures when processing pseudonymized information that leads to loss, theft, leakage, falsification, alteration or damage of the information: imprisonment for up to two years or criminal fine of up to KRW 20 million Failure to immediately suspend the processing of pseudonymized information or retrieve and destroy the pseudonymized information without delay when information that can be used to identify an individual has been produced through pseudonymization: administrative fine of up to KRW 30 million Failure to prepare and store records of processing pseudonymized information: administrative fine of up to KRW 10 million

  2020.03.31
  Newsletters 더 보기
• Newsletters

  Kim & Chang Legal Newsletter (2020 Issue 2) This issue includes: Korea Fair Trade Commission’s Enforcement Plan for 2020 Launch of Bank’s Ancillary Business for Big Data and Measures to Support Distribution of Big Data Asia Region Funds Passport Is Implemented in Korea in Accordance with the Amended Financial Investment Services and Capital Markets Act National Assembly Passes Amendments to the Monopoly Regulation and Fair Trade Law Amendment to the Korea Development Bank Act and Its Enforcement Decree to Establish the Key Industry Stabilization Fund Amended Guidelines on Corporate Governance Report and Recent Trends of ESG Reporting Recent Amendment to the Act on the Allocation and Trading of Greenhouse-Gas Emission Permits Amendments to the Subordinate Statutes of the Waste Control Act Coinsurance Is Introduced, Along with Eased Restrictions on Insurers’ Management of Foreign Currency Assets Supreme Court Establishes Criteria for Application of the “Catch-All” Unfair Competition Provision Virtual Hearing in International Arbitration US Department of Commerce Enforces Countervailing Duty Regulations Against Countries with Undervalued Currencies Adoption of Customs Act Regulations on Overseas Direct Purchases Strengthens Responsibility of Purchasing Agents and Open Market Operators Amended Labor Standards Act Limits Use of Annual Paid Leave for Employees with Less Than One Year of Continuous Employment Supreme Court Finds That More Favorable Terms and Conditions of an Existing Employment Agreement Take Precedence over Amended Rules of Employment New Amendments to Capital Markets Act’s Enforcement Decree Heighten Standards for Replacement of Asset Management Company and Trustee/Custodian Implementation of Policy Reinforcing Duties of Internet Service Providers to Eradicate Digital Sex Crimes Update on Key Legislative and Policy Developments on Self-Driving Vehicles Kim & Chang Legal Newsletter (2020 Issue 2)

  2020.07.03
  Newsletters 더 보기
• Newsletters

  KFTC Announces Proposed FTL Amendment Bill On June 10, 2020, the Korea Fair Trade Commission (the "KFTC") announced an amendment bill to comprehensively overhaul the Monopoly Regulation and Fair Trade Law (the "FTL") (the "Proposed Amendment"). If eventually passed by the National Assembly, the Proposed Amendment will have significant ramifications on antitrust investigations and enforcement, particularly from the perspective of (i) strengthening enforcement (e.g., allowing the prosecutors' office to initiate investigations without a criminal referral from the KFTC, doubling the maximum amount of administrative fines, introducing a "size of transaction" test for merger filings), (ii) bolstering due process (e.g., guaranteeing the right to counsel in KFTC investigations), and (iii) clarifying/simplifying legal requirements (e.g., including information exchange as a type of illegal collusive conduct, clarifying the definition of resale price maintenance). The Proposed Amendment is substantively identical to the amendment bill that had been proposed in 2018 (the "2018 Amendment Bill"), except that part of the 2018 Amendment Bill was passed as law in April 2020. The April 2020 FTL amendments related to enforcement procedure, such as: obligating the KFTC to issue official notices for dawn raids; guaranteeing the respondent's right to provide written and oral testimony at all stages of an investigation; expanding the right for respondents and others to request access to the KFTC case materials; and changing the statute of limitations for FTL violations, other than cartels. During the mandatory opinion canvassing period from June 11 to July 21, 2020, the KFTC will receive opinions from interested parties, submit the Proposed Amendment bill to other government bodies for further review, and then submit the final draft of the Proposed Amendment bill to the National Assembly. Overview and Expected Implications The KFTC has grouped the proposed amendments into the following four categories. 1. Enforcement Procedure Reform In terms of improving enforcement procedures, the Proposed Amendments institute measures, such as removing the exclusive criminal referral powers of the KFTC to allow prosecutors to bring indictments in hardcore cartel cases without the KFTC's criminal referral; increasing certain administrative fines (doubling the maximum percentage of revenues); and guaranteeing private citizens the right of action to enjoin certain FTL violations without going through the KFTC investigation process. If passed, we expect these will lead to closer collaboration between the KFTC and prosecutors from the earliest cartel investigation stages, which would be a significant departure from previous practice, where the prosecutors would normally become involved largely after the KFTC enforcement is complete. We also expect the KFTC to take advantage of the higher administrative fine amounts; for example, the maximum percentage of relevant revenues would increase from 10% to 20% for cartels. Further, we expect more private causes of action, even in the absence of a related KFTC investigation. 2. Due Process The Proposed Amendments continue in the KFTC's continued efforts to improve due process, such as by explicitly guaranteeing the right to counsel in all KFTC investigations and proceedings and by obligating the KFTC to prepare official written statements when obtaining testimony from individuals under investigation. 3. Encouragement of Innovation and Growth The KFTC has grouped a number of its proposed amendments under this heading to highlight the Proposed Amendment's efforts to relax certain regulations (e.g., relaxing the requirements to establish and operate venture capital holding companies) and to clarify certain statutory definitions and legal grounds (e.g., clarifying the basis for market surveys, clarifying the definition of resale price maintenance). However, this category also includes potentially significant amendments that could materially affect a company's business. For example, certain types of information exchange are included in the definition of illegal collusive conduct. In addition, a "size of transaction" test is introduced for merger filings, even if the parties to a merger fail to meet the existing worldwide assets/sales revenues and Korean sales revenues thresholds. 4. Conglomerate Regulation The Proposed Amendments introduce a host of measures to strengthen regulatory oversight over the conglomerates in Korea, largely to lessen the concentration of economic power of leading conglomerates and modernize their corporate governance structure. For more details, please see the attached file. [Korean version]

  2020.06.15
  Newsletters 더 보기
• Newsletters

  Revised Amendments to the Enforcement Decree of the Personal Information Protection Act On March 31, 2020, key points of the draft amendments to the Enforcement Decree of the Personal Information Protection Act (the "Draft Amendments") were published. The Ministry of the Interior and Safety announced on June 8, 2020 the revised amendments based on the opinion gathered from the interested parties (the "Revised Amendments"). While the Revised Amendments largely follow the Draft Amendments, please refer to below for key changes. Specific Standards for Using and Providing Personal Information within the "Scope Reasonably Related to Original Purpose of Collection" The Draft Amendments stipulated that in order to use or provide personal information without the consent of data subjects within the scope reasonably related to original purpose of collection, all of the following four conditions need to be satisfied: (i) the purpose of additional use and provision is substantially related to the original purpose for which the personal information was collected; (ii) the additional use and provision is foreseeable in light of the circumstances and practices; (iii) the additional use and provision does not unfairly infringe on the interests of the data subject or a third party; and (iv) if the purpose of additional use and provision can be achieved with the personal information being pseudonymized, then the personal information must be pseudonymized. While the Revised Amendments have retained most of these conditions, the underlined parts have been revised. The reference to the purpose of additional use and provision having to be "substantially" related to the original purpose in the first condition has also been deleted. The requirement that both the circumstances and practices be considered under the second condition has been relaxed, now only either the circumstances or the practices having to be taken into account. Security Measures for Pseudonymized and Additional Information The Revised Amendments specify the requirements concerning pseudonymized information, such as keeping a record of processing pseudonymized information, and obligations to retain and destroy it. If data controllers process pseudonymized information, they need to maintain a record of the following matters and retain it for at least three years after destroying the pseudonymized information (except where the record is pseudonymized to ensure data security): (i) The purpose of pseudonymization (ii) Items of personal information which have been pseudonymized (iii) Retention period for which pseudonymized information (iv) History of using the pseudonymized information (v) Recipient of the pseudonymized information (if provided to a third party) (vi) Matters related to destruction of pseudonymized information (vii) Any other matters notified by the Personal Information Protection Committee According to the Revised Amendments, data controllers must destroy the pseudonymized information without delay when the retention period expires. Further, data controllers must separately store pseudonymized information and the information that can be combined with the pseudonymized information to identify an individual ("additional information"). The additional information must be destroyed if it is no longer needed and access to pseudonymized and additional information, respectively, must be separated. Request to Remove Combined Pseudonymized Data The Draft Amendments stated that when a data controller files a request to combine pseudonymized information, the request is to be assessed and approved in view of whether it is difficult to achieve the purpose of combination in the Analysis Space within the premises of the expert organization where technical, organizational and physical measures have been implemented or whether such Analysis Space is not readily available. By deleting the underlined part above in the Revised Amendments, the restrictions on removing the combined information from the expert organization have been relaxed. [Korean version]

  2020.06.12
  Newsletters 더 보기