The PIPA of 2011, Data Protection for South Korea

The Personal Information Protection Act of 2011 or PIPA for short is a South Korean data privacy law. Originally passed in 2011, the law was recently amended in 2020 to provide additional data protection rights for South Korean citizens. In the same vein as many other privacy laws around the world, the PIPA sets forth various restrictions on the individuals, business entities, and organizations who collect and process the personal information of South Korean citizens. Conversely, the PIPA also establishes various rights that are afforded to South Korean citizens as it relates to data protection, as well as avenues of recourse in the event that a data subject feels as though their rights have been infringed upon.

What is the scope and application of the PIPA?

The PIPA applies to all “data handlers” within South Korea, whether it be an individual, business entity, associated third parties, or other forms of organizations that collect, access, process, or disclose personal information obtained from South Korean citizens. Alternatively, while many other data privacy laws around the world contain specific provisions regarding the territorial scope of the law, the PIPA does not specify the jurisdiction of the law in relation to agencies and individuals that process the personal information of South Korean citizens outside of the physical boundaries of South Korea.

However, territorial applicability of the PIPA is asserted on a case by case basis in practice, as the South Korean government considers a number of factors when determining whether a particular agency or individual must comply with the law, including whether the company generates revenue from doing business in South Korea or provides services specifically targeted at South Korean citizens. In terms of material scope, the PIPA covers the “handling of personal data”, defined as the “collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the foregoing.”

What are the requirements of data handlers under the PIPA?

Under the PIPA, data handlers must adhere to a variety of principles in relation to the processing of personal information. These principles include the following:

• Data handlers must explicitly specify the purpose for which personal information is to be processed, as well as collect personal information in a manner that is lawful, fair, and is excluded to the minimum extent necessary for the purpose in which it was collected.
• Data handlers must process personal information in an appropriate manner in relation to the purposes for which personal information is to be processed, as well as refrain from using any personal information for any reason other than these purposes.
• Data handlers must ensure that all personal information in their possession is complete, accurate, and up to date to the extent necessary for the purposes for which said information was collected.
• Data handlers are responsible for handling personal information in a manner that is both safe and in accordance with the method used for data processing, the type of personal data that is being collected, while also taking into account the potential severity and risks that could be posed to data subjects as a result of data collection.
• Data handlers are required to disclose both their privacy policy and any other pertinent information related to the collection and processing of personal information, as well as guarantee data subjects the right to access their personal information in the event that a data subject makes a request to do so.
• Data handlers must process the personal information of data subjects in a manner that minimizes the risks of potentially infringing on the privacy of said data subjects. If it is possible for data handlers to fulfill the purposes of collecting personal information through the means of pseudonymized or anonymized personal data, data handlers are required to process personal data through anonymization whenever possible, and through pseudonymization, if it is impossible to fulfill the purposes of collecting personal information through anonymization.
• Data handlers are charged with obtaining the trust of data subjects by both observing and performing the responsibilities and duties outlined in the PIPA and other related South Korean legal statutes.

What are the rights of South Korean citizens under the PIPA?

Under the PIPA, there are a bevy of personal data rights that are afforded to South Korean citizens. These various legal rights include:

• The right to be informed– When obtaining consent from data subjects, data handlers are required to provide data subjects with written notice concerning the purpose of collection and use of personal information, the specific items of personal information that are to be collected, the period for which said personal information will be retained, and the data subjects right to refuse their consent to data collection, as well as any disadvantages that may result from refusal. Additionally, in the event that data handlers plan to share the personal information of data subjects with third parties, they are also responsible for notifying said data subjects with the names of third parties who will have access to their personal information, the items of personal information that are to be shared, the third parties purposes for collecting a data subjects personal information, the period for which the third party will use and retain personal information, and the data subjects right to refuse their consent to data collection, as well as any disadvantages that may result from refusal.
• The right to access– Under the PIPA, data subjects retain the right to request that a data handler grant them access to the personal information that said data handler possesses. However, there are circumstances in which this access can be denied, such as when access would lead to possible damage to the life of a third party.
• The right to rectification– In addition to a data subject’s right to request access to their personal information, they also retain the right to rectify said information after accessing it.
• The right to erasure– In the event that data subjects are granted access to their personal information but choose not to rectify it, they also have the right to request that their personal information be erased.
• The right to object/opt-out- Data handlers must allow for data subjects to object to our opt-out of the collection and processing of their personal information at any time, as well as respond to a data subject’s request to suspend the processing of their personal information after it has been collected.

What are the penalties for violating the PIPA?

In addition to placing restrictions on data handlers and providing rights to data subjects, the PIPA is enforced by the Personal Information Protection Commission or PIPC. When the PIPC has found that a particular data handler has violated the law, said data handlers are subject to various administrative sanctions including fines, corrective orders, and penalty surcharges. To illustrate the potential punishments that can be imposed as a result of violating the PIPA, On November 25, 2020, the PIPC imposed a penalty surcharge of KRW 6.7 billion (approx.$5,740,423) on an “international social media corporation for the provision of personal information to a third-party business operator without the consent of the data subjects, and referred the case to an investigative authority for a violation of the PIPA”.

With the 2020 amendment to the PIPA, South Korea now has data protection that is on par with other countries around the world such as the EU’s General Data Protection Regulation or Australia’s Consumer Data Right or CDR. Furthermore, South Korea joins the recent trend of privacy legislation that continues to grow around the world as personal information and data is being shared at a rate never seen before. As such, South Korean citizens can rest assured that they have the means to protect the personal information they share with data handlers, as well receive justice in the event that their personal information is accessed or disclosed without their consent.