The PIPA of 2011, Data Protection for South Korea

The PIPA of 2011, Data Protection for South Korea

The Personal Information Protection Act of 2011 or PIPA for short is a South Korean data privacy law. Originally passed in 2011, the law was recently amended in 2020 to provide additional data protection rights for South Korean citizens. In the same vein as many other privacy laws around the world, the PIPA sets forth various restrictions on the individuals, business entities, and organizations who collect and process the personal information of South Korean citizens. Conversely, the PIPA also establishes various rights that are afforded to South Korean citizens as it relates to data protection, as well as avenues of recourse in the event that a data subject feels as though their rights have been infringed upon.

What is the scope and application of the PIPA?

The PIPA applies to all “data handlers” within South Korea, whether it be an individual, business entity, associated third parties, or other forms of organizations that collect, access, process, or disclose personal information obtained from South Korean citizens. Alternatively, while many other data privacy laws around the world contain specific provisions regarding the territorial scope of the law, the PIPA does not specify the jurisdiction of the law in relation to agencies and individuals that process the personal information of South Korean citizens outside of the physical boundaries of South Korea.

However, territorial applicability of the PIPA is asserted on a case by case basis in practice, as the South Korean government considers a number of factors when determining whether a particular agency or individual must comply with the law, including whether the company generates revenue from doing business in South Korea or provides services specifically targeted at South Korean citizens. In terms of material scope, the PIPA covers the “handling of personal data”, defined as the “collection, generation, recording, storage, retention, processing, editing, search, outputting, rectification, restoration, use, provision, disclosure, or destruction of personal data or any other action similar to any of the foregoing.”

What are the requirements of data handlers under the PIPA?

Under the PIPA, data handlers must adhere to a variety of principles in relation to the processing of personal information. These principles include the following:

What are the rights of South Korean citizens under the PIPA?

Under the PIPA, there are a bevy of personal data rights that are afforded to South Korean citizens. These various legal rights include:

What are the penalties for violating the PIPA?

In addition to placing restrictions on data handlers and providing rights to data subjects, the PIPA is enforced by the Personal Information Protection Commission or PIPC. When the PIPC has found that a particular data handler has violated the law, said data handlers are subject to various administrative sanctions including fines, corrective orders, and penalty surcharges. To illustrate the potential punishments that can be imposed as a result of violating the PIPA, On November 25, 2020, the PIPC imposed a penalty surcharge of KRW 6.7 billion (approx.$5,740,423) on an “international social media corporation for the provision of personal information to a third-party business operator without the consent of the data subjects, and referred the case to an investigative authority for a violation of the PIPA”.

With the 2020 amendment to the PIPA, South Korea now has data protection that is on par with other countries around the world such as the EU’s General Data Protection Regulation or Australia’s Consumer Data Right or CDR. Furthermore, South Korea joins the recent trend of privacy legislation that continues to grow around the world as personal information and data is being shared at a rate never seen before. As such, South Korean citizens can rest assured that they have the means to protect the personal information they share with data handlers, as well receive justice in the event that their personal information is accessed or disclosed without their consent.

Related Reads