Personal Information Protection Commission

(This is an unofficial and slightly modified translation from a Korean-language press release.)

The Personal Information Protection Commission (“PIPC”) announced that the amended Personal Information Protection Act (“PIPA”) – Korea’s data protection law that underwent a major overhaul in March 2023 – and the subsequent Enforcement Decree of the PIPA will enter into force on Sep. 15, following its approval at the cabinet meeting held on Sep. 5, 2023.

As a broad range of changes are introduced in the amendments made to PIPA, in particular with regards to the standards for processing of personal data across domains and industries, data handlers and data privacy officers at both public and private organizations are advised to closely monitor these changes and ensure compliance with the updated law.

The revised PIPA includes changes in comprehensive areas, reflecting the results of years of in-depth discussions that took place among various stakeholders across domains and sectors.

While placing emphasis on ensuring the rights of data subjects in a practical sense, the amended PIPA also notably streamlines inconsistencies in data processing standards disparately applied to online and offline businesses to better equip the overall industry for a full-fledged digital transformation.

Some key focus areas of the amended PIPA are outlined below.

1. A strong focus on ensuring the rights of the data subjects

(1)   More flexibility in data processing practice is allowed in cases where it is urgently necessary to collect, use, or provide personal data in order to protect people from physical threats, including loss of life or property, such as in an emergency rescue operation, or to mitigate public health crisis such as during the Covid-19 pandemic outbreak. Data safeguard measures still need to be applied in these cases.

(2)   Privacy-related dispute resolution procedure is changing to provide more prompt remedy to data subjects whose rights may have been infringed. Not only public institutions, but also private companies are now mandated to participate in dispute resolution proceedings.

2. Improvements to clarify and streamline unclear or inconsistent regulations governing online and offline entities

(1)   Operation guideline is provided for the lawful processing of personal data through mobile devices with image processing capabilities, such as drones and autonomous vehicles. These devices can now be used to capture images of the surrounding environment without obtaining prior user consent as long as the activity is being performed as part of their duties and the public is clearly notified of such ongoing filming activity through means such as audio alert or signage, as required by the law.

(2)  Meanwhile, inconsistent standards that have so far been differently applied to online and offline businesses are now streamlined under the principle that the same set of activities should be governed by the same set of regulations. These include: the reporting and notification timelines for data breaches, the requirement to obtain consent from legal guardians for collection and use of personal data of children under 14, and the criteria for imposing administrative sanctions for violation, among others.     

3. Stronger safeguard measures required by public institutions handling large sets of data

Safety measures have been strengthened for operators of major public systems that deal with large amounts of personal data of Korean citizens. These measures include: the analysis and inspection of access records, the designation of a manager responsible for each system, and the notification of incidents of unauthorized access to personal data using a public system, among others.

4. Diversified conditions for cross-border transfer of data and penalty system update in tune with global trends

(1) The conditions for transfer of personal data to third-party destinations abroad have been diversified to allow data to flow to countries considered to provide the same level of data protection as Korea or to certain certified companies. As a safeguarding measure, the PIPA newly introduced a legal base for ordering the suspension of cross-border data transfer in case of violation of the law.  

(2) The basis for calculating the maximum penalty amount has been changed from “total revenue related to the violation” to “total revenue minus the amount of revenue incurred from activities not related to the violation.” This shift is introduced to prevent the financial penalty amount from being excessive beyond the scope of responsibility.

In addition, to further reduce the burden on small businesses, the revised PIPA offers ground for extending the payment period for administrative fines and penalties to up to two years, with the option to pay in installments.

The PIPC is currently working on a revised enforcement decree for some of the provisions of the amended law that will take effect at different later times, including those on “MyData,” or the right to data portability. The relevant decree will be gradually announced for public comment from October.

Haksoo Ko, Chairperson of the PIPC said, "The recent amendment of the PIPA can be viewed as the first major overhaul of the nation’s data privacy law led by the government since its enactment in 2011. It reflects the demands for stronger protection of the rights of individual data subjects as well as the voices for regulatory improvement from the field."

"Considering the scope of the changes that have been made, there are many things that need to be carefully checked against by stakeholders in various domains. The PIPC will focus on raising awareness of the content of the amended PIPA by launching promotional campaigns tailored to the different needs of the field until the end of the year, and support the stable implementation of the new regulations," he said.