Title | Amended Personal Information Protection Act (PIPA) and its Enforcement Decree Become Effective | ||
---|---|---|---|
Department | Date | 2023.09.15 | |
Attachment | [press release] Amended PIPA enters into force_FN.pdf | ||
Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2331 | ||
Contents |
(This is an unofficial and slightly modified translation from a Korean-language press release.) The Personal Information Protection Commission (“PIPC”) announced that the
amended Personal Information Protection Act (“PIPA”) – Korea’s data protection
law that underwent a major overhaul in March 2023 – and the subsequent
Enforcement Decree of the PIPA will enter into force on Sep. 15, following its
approval at the cabinet meeting held on Sep. 5, 2023. As a broad range of changes are introduced in the amendments made to PIPA,
in particular with regards to the standards for processing of personal data
across domains and industries, data handlers and data privacy officers at both
public and private organizations are advised to closely monitor these changes and
ensure compliance with the updated law. The revised PIPA includes changes in comprehensive areas, reflecting the
results of years of in-depth discussions that took place among various
stakeholders across domains and sectors. While placing emphasis on ensuring the rights of data subjects in a
practical sense, the amended PIPA also notably streamlines inconsistencies in
data processing standards disparately applied to online and offline businesses
to better equip the overall industry for a full-fledged digital transformation.
Some key focus areas of the amended PIPA are outlined below. 1. A strong focus on ensuring the rights of the data subjects (1)
More flexibility in
data processing practice is allowed in cases where it is urgently necessary to
collect, use, or provide personal data in order to protect people from physical
threats, including loss of life or property, such as in an emergency rescue operation,
or to mitigate public health crisis such as during the Covid-19 pandemic outbreak.
Data safeguard measures still need to be applied in these cases. (2)
Privacy-related
dispute resolution procedure is changing to provide more prompt remedy to data
subjects whose rights may have been infringed. Not only public institutions,
but also private companies are now mandated to participate in dispute
resolution proceedings. 2. Improvements to clarify and streamline unclear or inconsistent
regulations governing online and offline entities (1)
Operation guideline
is provided for the lawful processing of personal data through mobile devices
with image processing capabilities, such as drones and autonomous vehicles.
These devices can now be used to capture images of the surrounding environment
without obtaining prior user consent as long as the activity is being performed
as part of their duties and the public is clearly notified of such ongoing filming
activity through means such as audio alert or signage, as required by the law. (2) Meanwhile, inconsistent standards that have so far been differently
applied to online and offline businesses are now streamlined under the
principle that the same set of activities should be governed by the same set of
regulations. These include: the reporting and notification timelines for data
breaches, the requirement to obtain consent from legal guardians for collection
and use of personal data of children under 14, and the criteria for imposing
administrative sanctions for violation, among others. 3. Stronger safeguard
measures required by public institutions handling large sets of data Safety measures have
been strengthened for operators of major public systems that deal with large
amounts of personal data of Korean citizens. These measures include: the
analysis and inspection of access records, the designation of a manager
responsible for each system, and the notification of incidents of unauthorized
access to personal data using a public system, among others. 4. Diversified
conditions for cross-border transfer of data and penalty system update in tune with
global trends (1) The conditions
for transfer of personal data to third-party destinations abroad have been
diversified to allow data to flow to countries considered to provide the same
level of data protection as Korea or to certain certified companies. As a
safeguarding measure, the PIPA newly introduced a legal base for ordering the
suspension of cross-border data transfer in case of violation of the law. (2) The basis for
calculating the maximum penalty amount has been changed from “total revenue
related to the violation” to “total revenue minus the amount of revenue
incurred from activities not related to the violation.” This shift is
introduced to prevent the financial penalty amount from being excessive beyond
the scope of responsibility. In addition, to
further reduce the burden on small businesses, the revised PIPA offers ground
for extending the payment period for administrative fines and penalties to up
to two years, with the option to pay in installments. The PIPC is
currently working on a revised enforcement decree for some of the provisions of
the amended law that will take effect at different later times, including those
on “MyData,” or the right to data portability. The relevant decree will be
gradually announced for public comment from October. Haksoo Ko, Chairperson
of the PIPC said, "The recent amendment of the PIPA can be viewed as the
first major overhaul of the nation’s data privacy law led by the government
since its enactment in 2011. It reflects the demands for stronger protection of
the rights of individual data subjects as well as the voices for regulatory
improvement from the field." "Considering
the scope of the changes that have been made, there are many things that need
to be carefully checked against by stakeholders in various domains. The PIPC
will focus on raising awareness of the content of the amended PIPA by launching
promotional campaigns tailored to the different needs of the field until the
end of the year, and support the stable implementation of the new regulations,"
he said. |