INSIGHTS

•  

  COVID-19 Task Force  

   
  Newsletters VIEW MORE
• Newsletters

  [FAQ] Amended Personal Information Protection Act 1. What is the background behind amending the Personal Information Protection Act (the “PIPA”)? With the arrival of the Fourth Industrial Revolution, promoting new industries has become a nationwide project. Consequently, using emerging technologies such as artificial intelligence ("AI"), cloud computing, and Internet of things ("IoT") to collect and process data has become a necessity and so has the need to establish social standards for it. However, the current regulations have limitations (e.g., ambiguity in the definition of "personal information"), and the enforcement of data protection laws has been dispersed among multiple regulatory bodies, calling for a systematic overhaul of the laws. As a result, the PIPA has been amended to strengthen its purpose of protecting personal information, while enhancing the competence of the data protection regime as it applies to the related industries. 2. What are the key aspects of the amendments to the PIPA? (1) Clarify the conceptual framework of personal information by clearly establishing the definition of pseudonymized and anonymized information; (2) Centralize the regulatory and enforcement authority at the Personal Information Protection Commission (the “PIPC”) and transfer the data protection functions of the Ministry of Interior and Safety (the “MOIS”) and the Korea Communications Commission (the “KCC”) to the PIPC; and (3) Move the provisions under the Act on the Promotion of Information Network and Information Protection (the “Network Act”) concerning personal information protection to the PIPA. 3. When do the amendments come into force and when will the amendments to the subordinate regulations (e.g. the enforcement decree) be enacted? The amendments to the PIPA will come into force on August 5, 2020. Regulatory bodies currently in charge of data protection and privacy laws (the MOIS, the KCC and the Financial Services Commission) announced on January 21, 2020 that they will prepare (i) the Enforcement Decree for the amended laws by February 2020, (ii) amended administrative rules by March 2020, and (iii) revised sectoral guidelines and the commentary guidelines. However, there has been some delay in announcing the Enforcement Decree amendment. 4. What are pseudonymized information and anonymized information? Pseudonymized information is a type of personal information, which has been processed such that the information can no longer identify an individual without using or combining it with additional information to restore it to its original state (Article 2 (1) (c) of the amended PIPA). Pseudonymization refers to processing personal information by means of partial deletion or partial or total substitution such that the information becomes unidentifiable without using additional information (Article 2 (1-2) of the amended PIPA). Anonymized information is information that cannot identify an individual even when it is combined with other information, in reasonable consideration of the required time, cost, and technology for such combination. The PIPA does not apply to anonymized information (Article 58-2 of the amended PIPA). 5. How can one utilize pseudonymized information? Data controllers can process pseudonymized information without the data subject’s consent for purposes, such as statistics preparation, scientific research, preservation of public records, etc. (Article 28-2 (1) of the amended PIPA). 6. Do regulations on personal information protection apply to pseudonymized information? Article 28-7 of the amended PIPA lists provisions that do not apply to pseudonymized information: Disclosure of information, such as the source of personal information collected from sources other than the data subject (Article 20 of the amended PIPA) Destruction of personal information (Article 21 of the amended PIPA) Restrictions on transfer of personal information due to business transfer or similar (Article 27 of the amended PIPA) Notification of personal information leakage to the affected data subjects (Article 34 (1) of the amended PIPA) Data subject’s rights: access, revision/deletion, suspension of processing (Articles 35 through 37 of the amended PIPA) Special provisions that apply to online service providers (Articles 39-3, 39-4, 39-6, 39-7 and 39-8 of the amended PIPA) The following are some of the articles which are not included in the list of provisions that have been explicitly excluded from application under Article 28-7 of the amended PIPA: Requirements for delegation of personal information processing (Article 26 of the amended PIPA) Establishment and disclosure of privacy policy (Article 30 of the amended PIPA) Reporting of personal information leakage to the regulatory authority (Article 34 (3) of the amended PIPA) Protection of personal information transferred overseas under the special provision that applies to online service providers (Article 39-12 of the amended PIPA) 7. What should be considered when processing pseudonymized information? When providing pseudonymized information to a third party, it cannot be accompanied by any other information that can be used to identify an individual (Article 28-2, Paragraph 2 of the amended PIPA). Furthermore, no one may process pseudonymized information for the purpose of identifying an individual (Article 28-5 (1) of the PIPA). If information that can be used to identify an individual has been created in the course of processing pseudonymized information, the processing of such information must be suspended immediately, and the information must be retrieved and destroyed without delay (Article 28-5 (2) of the PIPA). Additionally, implementing technical, managerial, and physical protective measures (such as separated storage and management) to the additional information which can be used to restore the information to its original state is necessary to prevent loss, theft, leakage, falsification, alteration or damage of the information (Article 28-4 (1) of the amended PIPA). Combining pseudonymized information in possession of different data controllers must be undertaken by a specialized agency designated by the PIPC or the relevant central administrative agency (Article 28-3 (1) of the amended PIPA). 8. May personal information be used/provided for purposes other than the original purpose of collection without the data subject’s consent? A data controller may be permitted to use or provide personal information without the data subject’s consent, if such use or provision is within the scope which is reasonably related to the original purpose of collection, as long as the conditions prescribed in the Enforcement Decree of the amended PIPA (e.g., whether there is any disadvantage to the data subject, whether necessary security measures, such as encryption, have been taken) are met (Article 15 (3) and Article 17 (4) of the amended PIPA). 9. Which regulations on personal information protection apply to online service users? As the provisions on personal information protection under Chapter 4 of the Network Act have been transferred to Chapter 6 (“Special provision regarding processing of personal information by online service providers”) of the amended PIPA, the amended PIPA will also regulate the protection of online service users’ personal information. Since the provisions that were previously in the Network Act have been either deleted or modified (e.g., provision relating to the delegation of processing personal information under the Network Act has been deleted; provision that allowed overseas storage and delegation of personal information processing without the user’s consent only “if necessary for fulfilling the contract for providing online service and for enhancing the user’s convenience” has been deleted), it is important to accurately understand the amended provisions. 10. What sanctions can be imposed for violating the amended PIPA? A person who violates the amended PIPA will be subject to the following sanctions: Providing pseudonymized information to a third party accompanied by information that can be used to identify a specific individual: imprisonment for up to five years or criminal fine of up to KRW 50 million Processing pseudonymized information for the purpose of identifying an individual: (i) imprisonment for up to five years or criminal fine of up to KRW 50 million; (ii) administrative fine of up to 3% of the total sales revenue Processing pseudonymized information or providing pseudonymized information to a third party in a way that violates the regulations on combination of pseudonymized information, or receiving pseudonymized information for the purpose of profit or fraud, while knowing that the provided information violates the regulation regarding combination of pseudonymized information: imprisonment for up to five years or criminal fine of up to KRW 50 million Failure to implement proper security measures when processing pseudonymized information that leads to loss, theft, leakage, falsification, alteration or damage of the information: imprisonment for up to two years or criminal fine of up to KRW 20 million Failure to immediately suspend the processing of pseudonymized information or retrieve and destroy the pseudonymized information without delay when information that can be used to identify an individual has been produced through pseudonymization: administrative fine of up to KRW 30 million Failure to prepare and store records of processing pseudonymized information: administrative fine of up to KRW 10 million

  2020.03.31
  Newsletters 더 보기
• Newsletters

  Proposed Amendments to the Enforcement Decree of the Credit Information Use and Protection Act The proposed amendments to the Enforcement Decree of the Credit Information Use and Protection Act (the "Amendment") was published on March 31, 2020, providing further details to the changes made to the Credit Information Use and Protection Act. The Amendment's further details primarily relate to: standards with which to transfer and process personal information; the right of data portability to demand a transfer of personal credit information; the MyData business in credit information and financial industries relating to licensing, concurrent and ancillary business, and rules of practice; the consent form for utilization and provision of information within the financial industry; the ongoing evaluation system for data protection and the public disclosure of "Basic Credit Information Protection and Management Plan"; and requirements on deletion and processing of pseudonymized data. The Amendment will be subject to a preliminary legislative notice period until May 11, 2020 followed by consultation among the relevant agencies, review period by the Ministry of Government Legislation and subsequent review and approval by the Cabinet meeting, after which the Amendment will enter into force on August 5, 2020, the promulgation date. Please see the attachment for a detailed summary of the Amendment.

  2020.04.13
  Newsletters 더 보기
• Newsletters

  COVID-19: Working From Home - Key Considerations for Employers Regarding Employment and Labor Law Issues We would like to update you on key considerations for employers who have employees working from home (“WFH”). From a Korean employment and labor perspective, WFH involves an employee performing work provided under his/her employment agreement at his/her home instead of reporting to the workplace. And although some employers have planned to end their WFH programs starting this week the Korean government recently announced on April 4, 2020 that it will extend the two-week focused social distancing campaign that began on March 22, 2020 for another two weeks. Therefore, it appears that a considerable number of workplaces will continue to implement WFH programs. In terms of the procedures for implementing a WFH program we note that, if the company Rules of Employment (“ROE”), employment agreement, etc. have provisions regarding the location of the workplace which state to the effect that “The Company may implement a working from home program as necessary” or “The work location shall be a designated location within the workplace or a location designated by the Company,” the employer may implement a WFH program without obtaining separate employee consent or undergoing consultations as a basis exists for changing the workplace location. On the other hand, if no such provisions exist, the employer shall be required to at least consult with the employees concerned. In regards to working hours, if the company has a system that allows a company to issue specific work instructions from time to time by e-mail, etc., and employees can respond relative quickly, the same start / end / break times shall be applicable during the WFH program. In addition, the same procedures shall be applicable for employees requesting for and managers approving overtime / nighttime / holiday work. However, if it is difficult for employers to manage the working hours in such manner, the employees may be deemed to have worked during the working hours specified in the ROE or the employment agreement pursuant to Article 58 (1) of the Labor Standards Act (the “LSA”). As to attendance management, since an employee working from home has only changed his/her location of work, the employee is still expected to work during such work hours and should he/she perform non-work related matters during such time without receiving approval from the employer, this may be considered a violation of the ROE or internal regulations. However, the prior consent of employees are required to collect their location information on grounds of working from home. We also note that the employer will, in principle, be required to pay or reimburse employees for expenses that they incur due to their being on a WFH program such as for mobile phone usage, office supplies, etc. In addition, if the employer has previously paid for meal expenses, transportation expenses, etc. based on actual expenses, the employer will be obligated to pay employees on a WFH program for such expenses as long as the employees provide proof of such expenses.

  2020.04.08
  Newsletters 더 보기
• Newsletters

  COVID-19: Force Majeure Under Korean Law Considered in Wake of COVID-19 Pandemic Companies today face unprecedented challenges as a result of the COVID-19 pandemic; they find themselves in unfamiliar territory in such areas as employment relations, business contracts, and data privacy, to name just a few areas. To help clients navigate these uncertain times in respect of their business in Korea, Kim & Chang’s COVID-19 Taskforce has been providing newsletters on key issues. In this newsletter, we look at the definition, elements and effects of force majeure under Korean law as seen through relevant court precedents. We hope that this series will provide useful guidance for companies as they consider whether force majeure may come into play in their business endeavors. 1. Definition/Elements of Force Majeure There are multiple references to “force majeure” in various Korean statutes. Unfortunately, the black letter law does not provide for a definition of “force majeure.” Statutes such as the Administrative Appeals Act merely refer to force majeure together with such events as natural disasters and wars. However, relevant Supreme Court precedent holds that in order for a party to argue that an event constitutes force majeure, (i) the cause must be outside the realm of the party’s control and (ii) the party, despite having exerted reasonable efforts, was not able to foresee or prevent such event (Supreme Court of Korea Decision 2008Da15940, 15957 Decision). Based on such court precedent, the elements of a force majeure event are (i) a cause outside of the party’s control and (ii) lack of foreseeability/preventability. 2. Effects of Force Majeure Force majeure is a narrower concept than “no fault” and is applied to limit liability in situations where recognizing “no fault” liability would be too harsh. For example, even if an agreement assigns liability to a party for breach when the cause is not attributable to such party, force majeure may exempt such party from liability for contractual breach. Under the Civil Act of Korea, if it becomes impossible for a party to a bilateral contract to perform its obligation due to a cause that is not attributable to either party, such party may not seek performance of the counterparty’s obligation (Civil Act, Article 537). Furthermore, the obligee may not claim damages where performance has become impossible and not caused intentionally or negligently by the obligor (Civil Act, Article 390). Since force majeure refers to a circumstance where a party is not at fault for non-performance of an obligation, recognition of force majeure will allow a party to be exempted from performing a contractual obligation altogether or from damages for non-performance. 3. How Korean Courts Have Ruled on Force Majeure The following table provides a summary of Korean court precedents that we have categorized, based on how the courts have interpreted the elements. Since exempting a party’s obligations citing force majeure leads to a shift in damage or loss to the other party, Korean courts have interpreted force majeure under a very strict standard and it is difficult to find case precedent where a court exempted a party’s contractual obligation due to force majeure. A. Cause Outside of Party’s Control A.1 If a contractual agreement exists on cause of inability to perform Jeju District Court Decision 2016GaHap192 rendered on July 21, 2016. The defendant entered into an agreement to use 60 hotel rooms in the plaintiff’s hotel in expectation of renting them out to visiting Chinese tourists. However, due to the effects of the MERS outbreak and subsequent drop in the number of Chinese tourists, the defendant claimed under the Civil Act Article 537 that the defendant was under no obligation to pay (perform) since neither party to the agreement was responsible for the decrease in the number of Chinese tourists. The Court decided that under the intent of the agreement for use of hotel rooms, the defendant’s obligation was to pay for the hotel room reservation itself, regardless of whether those rooms were actually used. Furthermore, the Court held that recruiting Chinese tourists to occupy the 60 hotel rooms was not defined as the defendant’s obligation under the agreement. Therefore, the Court concluded that the defendant’s circumstance itself did not lead to impossibility to perform and held in favor of the plaintiff. Although force majeure was not directly considered or reviewed by the Court, this case can serve as a reference as to how a court would determine whether the cause of an event is outside of a party’s control. In this case, the Court defined the cause of an event narrowly and ruled that the recruitment of Chinese tourists was not the responsibility of the plaintiff, but of the defendant in such an agreement. A.2 The obligor of the party responsible for performance in an agreement (contractor parts/material supplier, etc.) Supreme Court of Korea Decision 2005Da59475, 59482, 59499 rendered on August 23, 2007. The defendant, developer A was a contractor for co-defendant company B that constructed and sold condominiums when company B filed for bankruptcy and suspended the project. The Court held that the bankruptcy and subsequent court receivership of company B (which led the project and sold the condominiums) was not a force majeure event that would exempt developer A from performing its obligations under its agreement for sale of condominiums. Seoul Central District Court Decision 2018GaHap529238 rendered on May 22, 2019. The purchasers (plaintiffs) of the condominiums demanded the purchase agreement be canceled due to the delay in completion and move-in date. The developer (defendant) argued that such delay was due to a strike by one of the cement suppliers and thus, it was outside of the defendant’s control and the defendant should not be responsible for such delay. The Court held that the supply/management of necessary materials such as cement is the responsibility of the developer within context of a condominium sale and purchase agreement. In addition, the Court found that the defendant’s actions were insufficient because the defendant did not attempt to find an alternate supplier or renegotiate the supply price of the cement. Further, even if it were not practically feasible to find an alternate cement supplier, the Court held that such risks should be inherently borne by the developer in such agreements. Thus, the Court ruled that this was not a force majeure event. A.3 Foreseeability: Expansion of realm of control by a party Seoul Central District Court Decision 2018GaHap529238 rendered on May 22, 2019. This is the same condominium sale and purchase agreement case as set forth above. The defendant also argued that the delay was caused by a weak ground foundation, which was a unique geologic characteristic of the development site. Hence, the defendant argued that this unique geologic characteristic was outside the realm of control by the defendant and thus, the defendant should not be held responsible. The Court held that the site of the construction and its geologic characteristics were elements that the defendants should have surveyed prior to starting the construction and development. As a result, the Court held that the weak ground foundation was foreseeable and thus, within the realm of control of the defendant. B. Foreseeability & Preventability B.1 Principles of Contractual Liability Supreme Court of Korea Decision 2001Da1386 rendered on September 4, 2002. The plaintiff argued that while it was contracted by the defendant to demolish and construct a new building, the Asian financial crisis caused a force majeure event because among others, it caused significant setbacks in supply of materials, etc. and eventually led to delay in completion. The Supreme Court held that, “the Court cannot recognize the Asian financial crisis and the resulting setbacks in supply of materials as a force majeure event.” Although the Supreme Court did not explicitly state the reasoning behind this decision, it is clear that the Court saw the Asian financial crisis as a foreseeable event and thus, did not constitute force majeure. B.1 If a Party’s fault is involved Seoul Central District Court Decision 2009GaHap145966 rendered on June 16, 2010. In a case where a mask supply agreement was executed after the government raised the national crisis stage from “caution” to “warning” due to the swine flu, the party that could not supply the masks due to scarcity of supply claimed force majeure. The Court held that the plaintiff, at the time it entered into an agreement with the Public Procurement Service (September 2009), was able to foresee the increase in demand for masks and thus the delay in supply could not be considered force majeure within the context of the supply agreement. Seoul Central District Court Decision 2009Na37014 rendered on January 15, 2010. The plaintiff entered into an agreement to install air conditioners at a naval base. But the plaintiff claimed force majeure because it could not perform within the agreed time due to weather conditions and heavy rain that canceled the departure of ships. The court held that it is common knowledge that a ship can be grounded due to weather (foreseeability) and that the plaintiff never asked for an extension of completion date to the other party (preventability). The court also reasoned that the plaintiff partially performed during the contract term (ability to perform, or at fault) and since the total duration of rainfall and the amount of precipitation occurring during the contract period could not be specified, force majeure should not be applied in the delay of plaintiff’s performance. B.3 Whether other competitors are able to perform or whether performance (payments) can be made through an agent Supreme Court of Korea Decision 96Da34610 rendered on March 28, 1997. [Damages for Delay] The defendant claimed that the delay in completion and move-in date for plaintiffs as agreed in the purchase agreement was caused by force majeure events such as lack of manpower and necessary materials. The Court held that since other condominiums that were built during the same time nearby were completed and purchasers were able to move in without delay, the defendant’s claim of force majeure cannot be recognized. Seoul Central District Court Decision 2018GaHap529238 rendered on May 22, 2019. This is the same condominium sale and purchase agreement case as set forth above. The Court held that it could not recognize force majeure due to the following reasons: (i) another construction site near the defendant’s site completed its development within the agreed timeline and occupants were able to move in without issue, and (ii) the defendant could have minimized the delay by procuring the required construction equipment through other means, but did not.

  2020.04.03
  Newsletters 더 보기