Data Breach and IT Security Regulations in South Korea

South Korea’s Communications Network Utilisation and Information Protection Act is a personal privacy law that was passed in South Korea in 2001 and has been amended several times since, most recently in 2015. In conjunction with South Korea’s Personal Information Protection Act of 2011 or PIPA, the Communications Network Utilisation and Information Protection Act serves to protect the personal data and privacy of citizens within South Korea. More specifically, the Communications Network Utilisation and Information Protection Act protects the personal information of South Korean citizens as it pertains to the safe use of information and communications technology networks within the country.

How is personal information defined under the Act?

Under South Korea’s Network Utilisation and Information Protection Act, personal information is defined as “information concerning anyone living that contains the code, letter, voice, sound, and/or image, which allows for the possibility for that individual to be identified by name and resident registration number (including information which, if not by itself, allow for the possibility of identification when combined with other information).” Alternatively, the law defines information and communications networks as “the telecommunications infrastructure, computers, and software are used together for gathering, storage, processing, searching, transmission and reception of information.”

What are the provisions of the Act?

South Korea’s Communications Network Utilisation and Information Protection Act establishes various provisions that business entities within the country must follow as it pertains to the collection and processing of the personal information of South Korean citizens in regard to the use of information and communications services. Such provisions include but are not limited to:

• All information and communications service providers are required to protect the information, rights, and interests of the users of their respective services. Moreover, information and communications services providers must also ensure that they provide services to the general public “in a safe and healthy way.”
• In the event that an information and communications services provider experiences a security breach, the provider in question must provide notification to all relevant parties.
• The South Korean government may offer technical, financial, and requisite forms of support for the purposes of facilitating the development and implementation of information and communications networks across the various business sectors within the country.
• South Korea’s Minister of Information and Communication shall implement policies enabling the South Korean government to effectively and efficiently facilitate the development and implementation of information and communications within the country.
• The Minister of Information and Communication shall establish criteria that information and communication network providers within South Korea are responsible for adhering to at all times.
• Business entities within South Korea that manufacture and supply goods related to the offering of information and communications services will be required to receive certification from an authorized certification institution within the country, in accordance with other applicable legislation.
• State organ heads or any local government heads shall assign and publish a fixed period of time that a digital document relayer must keep a digital document in their custody.

What are the rights of South Korean citizens under the Act?

Under the Communications Network Utilisation and Information Protection Act, South Korean citizens have a number of rights as it relates to the use of information and communications networks. For instance, information and communications providers may not use the personal information of South Korean citizens without their consent. Conversely, South Korean citizens also reserve the right to obtain information and communications services in accordance with a written agreement or contract. Furthermore, information and communications services providers are also forbidden to collect certain information from South Korean citizens, such as information relating to medical records, religion, and political ideologies, among others.

In terms of the enforcement of the law, information and communications providers within South Korea are subject to numerous fines and penalties should they fail to comply with the provisions set forth in the Communications Network Utilisation and Information Protection Act. Such punishments include a prison term of up to 3 years, as well a monetary penalty of up to 30 million won ($24,517), depending on the scope and severity of the violation in question. Examples of actions that constitute violations under the law include failing to secure and protect the personal information of South Korean citizens, as well as failing to provide notification to all applicable parties in instances where a data breach has occurred.

When compared with many other nations around the world, the data protection and personal privacy legislation within the country of South Korea is particularly robust. As there are many countries around the world that have yet to pass a data security measure or personal privacy law, let alone both, citizens of South Korea are afforded a level of data security that is very rare outside of the European Union, as the General Data Protection Regulation has truly set and international standard in terms of privacy. As such, many countries around the world will surely consider passing similar measures and legislation in the future, as personal data protection and privacy continue to be pressing issues within societies all over the world.