As a result of revisions to the PIPA which prohibited the collection of resident registration numbers and imposed penalties for unauthorized disclosure, a number of related statutes were also revised to prevent misuse of resident registration numbers, and for the implementation of the compulsory resident registration number encryption that was announced in March 2014.

■ No Collection of Resident Registration Number without a Statutory Basis

After the PIPA came into force, a large number of resident registration numbers continued to be disclosed or abused. However, civil and criminal liabilities were not appropriately imposed on the large companies responsible for this activity.

This was concerning, particularly because resident registration numbers are a primary key value, so specific personal information could be easily identified using it.

Resident registration numbers required a more stringent level of protection because of secondary damage. The No Collection of Resident Registration Number without Statutory Basis was implemented from August 7, 2014. This principle prohibited the collection of resident registration numbers without a specific statutory basis, following a grace period of one year.

In addition, a package of amendments to related statutes provided a clear statutory basis for the collection of resident registration numbers for projects for which they must be collected such as to support the disadvantaged providing a reduction or exemption to public utility charges, or for the purpose of state litigation.

In 2014, the amendment of 146 statutes was completed, and any disruption by the implementation of the principle was minimized.

Furthermore, a survey of all statutes that permitted the processing of resident registration numbers was conducted. As a result, it was recommended that government agencies repeal relevant statutory provisions for the collection of resident registration number in 36 statutes. It is anticipated that all resident registration numbers that have been collected and retained without a statutory basis will be deleted by August 6, 2016.

■ Mandate on Resident Registration Number Encryption

Under the PIPA, unique identification information must be encrypted when it si:

- transmitted or received through an information and communication network;

- transmitted through a secondary storage medium;

- stored on the internet or in the intersection of the internet and Intranet.

However, resident registration numbers continued to be disclosed even after PIPA came into effect. Therefore, to promote awareness of the new encryption requirements, the amendments to the PIPA were announced on March 24, 2014.

The revised PIPA also provides that:

- a data controller must manage unique identification information by encrypting it to prevent loss, theft, leakage, alteration, or corruption; and

- the object and the time of encryption will be determined by considering the effect of unauthorized disclosure, the size of retained personal information and the risk management system.

The Ministry of the Interior consulted relevant experts and businesses in relation to the stability and security of processing systems as a result of encryption and the budget required for encryption. In 2015, the Ministry of the Interior will determine guidelines for determining what organizations should be using encryption and the time of encryption and revise the Enforcement Decree of Personal Information Protection Act.

■ Introduction of Statutory Damages to Reinforce Personal Information

Protection for Online Users In May 2014, the Korea Communications Commission revised (May 28, 2014) the Act on Promotion of Information and Communications Network Utiilzation and Information Protection to introduce:

- statutory damages;

- data subject notification in the case of transfer of personal information following thesale of a business;

- an obligation to destroy personal information;

- an increase in penalties.

The revisions were enacted on May 28, 2014 and came into force on Nov 28, 2014. The Korea Communications Commission also revised and enforced the Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection that abolished the duty of electronic notification of personal information handling practices specified the time(24hours) to report personal information breaches; and shortened the retention period of personal information(from three years to one year).

In addition, following the ‘Normalization of Personal Information Protection’, the Korea Communications Commission prepared amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection to:

- improve consistency with other statutes relating to personal information, such as the PIPA , and the Use and Protection of Credit Information Act ;

- standardize sanctions; and

- adopt punitive penalties.

The Korea Communications Commission will promote the amendments in 2015.

■ Preparation of Guidelines for Personal Information Protection in New IT

Services and Strengthening of User Rights The Korea Communications Commission enacted the Guideline for Big Data Personal Information Protection that provides that information to be processed for big data projects is to be de-identified when processing personal information. The Guideline is scheduled to be enforced on and after January 1, 2015. Also, the Korea Communications Commission enacted and enforced the Guideline for Handling of Online Personal Information , which specified minimum standards for consent, and the collection and destruction of personal information.

■ Revision of the Financial Holding Companies Act

The Financial Service Commission revised the Financial Holding Company Act in May 2014. The Act prescribes that an affiliate of a financial holding company might provide other affiliates with customer information without prior consent of the consumer data, other than for the purpose of internal business management.

The Act also prescribed that an affiliate of a financial holding company must obtain the consent of the data subject when it discloses the customer information for the purpose of introducing and recommending new goods and services.

In addition, the Act prescribed that, even in cases where an affiliate of a financial holding company discloses customer information to another affiliate for the purpose of internal business management, the affiliate must notify this dsiclosure to the data subject.

The Act also limited the use period of disclosed information to no more than 1 month.

■ Strengthening Credit Information Protection

Under this amendment, procedures to collect, store and disclose personal information were limited. For example, restrictions were imposed on the disclosure of personal information to a third party and an affiliate.

In addition, the right of data subjects was greatly strengthened. For example, demands for information were prohibited, such as text messages for the purpose of sales; and responsibility of financial institution’s for financial services sales agents was strengthened. Also, a financial institution is now obliged to develop a system to record the use of personal information. The right to personal information self determination of the data subject was also strengthened by ensuring that the data subject can prevent access to their personal information if they suspect their personal information has been stolen.

Punitive and statutory damages for data breaches were adopted as a relief measure, and punitive penalties and fines were increased to deter the unauthorized disclosure of information.

The independence of the credit information collection agencies was strengthened, and its function was expanded. Also, the concurrent operation of a credit inquiry business and sideline business by a credit information collection agency was prohibited, and its ownership structure was restricted. A credit information concentration system will also be unified and reorganized to strengthen its impartiality and transparency.