South Korea’s Privacy Laws: Introducing PIPA

What are South Korea’s Privacy Laws?

The main privacy law in South Korea is the Personal Information Protection Act (PIPA), enacted on September 30, 2011. It applies to most organizations within South Korea, including government entities, who collect and process personal information of South Korean citizens. This act is known for being one of the strictest data compliance laws around the world, alongside legislation like the GDPR.

In addition to South Korea’s PIPA, there are also sector-specific laws, which we outline below:

• The Network Act: This law applies to IT providers.
  
• Credit Information Use and Protection Act: Also known as the Credit Information Act, this rule regulates credit information used for credit ratings.
  
• Act on Real Name Financial Transactions and Guarantee of Secrecy: This law applies to financial institutions.

South Korea’s PIPA: A Breakdown

PIPA applies to any data handler — defined by South Korea as an individual, organization or third-party that handles personal data during the course of business activity. Unlike the GDPR, PIPA does not demand explicit consent. Some types of personal information require consent and others do not. 

PIPA’s territorial scope is not defined. However, like the GDPR, it typically affects any foreign country that targets South Korean users and it almost always applies to businesses operating out of South Korea. 

The government takes a no-nonsense approach when it comes to reinforcing the Personal Information Protection Act. Penalties include high fines and possibly even imprisonment for breaching the act. To avoid the negative consequences, organizations must abide by the following obligations throughout the data lifecycle:

• Prior notification: Unlike the GDPR, the PIPA does not require explicit, written consent from data subjects. However, PIPA does demand that businesses notify individuals when they would like to collect information. If a data subject does not consent to having their data collected and used, businesses cannot deny them goods and services.
• Opt-in consent: This form of consent gives power back to individuals rather than the business. It requires data subjects to wilfully choose to opt-in, rather than implying consent by ignoring opt-out notifications.
• Heavy sanctions: Sanctions are applied to individuals, businesses and organizations when they do not meet PIPA compliance. Sanctions can take the form of fees, corrective orders, and even penalty surcharges. Additionally, public prosecutors can investigate violations, which make data handlers potentially subject to criminal punishment as well.

PIPA also centralizes concern to data subjects, so much so that if a breach occurs, the act requires companies to notify data subjects ahead of authorities, which is opposite to the GDPR.

PIPA’s Key Amendments

South Korea’s National Assembly passed three major amendments to the Personal Information Protection Act in 2020.

First, the Assembly introduced the concept of “pseudonymised data.” This amendment distinguishes between personal data and pseudonymized data. With the purpose of research, statistics and public records in mind, pseudonymized data can typically be processed without obtaining consent.

The National Assembly also amended PIPA so entities can reasonably use personal data without consent. This is permitted if data is being used “within a scope that is reasonably related to the original purpose of collection.”

The third amendment allows data to be merged under special conditions. Data sets by two different processors may be amalgamated if the process is performed by specialized agencies that commit to meeting regulations in compliance with PIPA requirements.

PIPA Compliance with Ground Labs

Attempting to meet PIPA data compliance alone is risky business. Your business could be subject to thousands of dollars of fines (or more) if you do not effectively meet all requirements of this act. Partnering with Ground Labs can reinforce your organization’s data privacy and compliance plan by showing you where all business data resides. Our data discovery platforms, like Enterprise Recon, have the ability to scan all of your organization’s surfaces and locate and categorize more than 300 data types.

Make a commitment to meet PIPA requirements today and schedule a meeting with a data compliance expert.