Title | PIPC Releases “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” | ||
---|---|---|---|
Department | Date | 2024.04.12 | |
Attachment | [press release] Guidelines on Applying the PIPA to Foreign Business Operators.pdf | ||
Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2488 | ||
Contents |
PIPC Releases “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” - Guide describes the application criteria for foreign businesses who may be required to comply with the Korean data protection law, and explains some important data-related practices expected through various scenarios
(This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (“PIPC”) released the “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” (“Guide”), a comprehensive guide to help foreign businesses comply with the requirements of the Personal Information Protection Act (“PIPA”). It also seeks to encourage companies to adopt robust data protection practices to safeguard the personal information of Korean data subjects.
In the wake of a major amendment made to the PIPA in 2023, the Guide aims to clarify the legal obligations that overseas businesses may have overlooked or may easily miss under the revised regulations. The Guide also incorporates insights gained from consultations with relevant experts and the feedback gathered during an on-site meeting with foreign businesses active in Korea, which was held in January of this year.
1. Criteria for determining the applicability of the PIPA
The Guide identifies three cases where a foreign business operator may be subject to the legal requirements of the PIPA. These are: when a foreign entity (1) provides goods or services to Korean data subjects, (2) engages in personal data processing activities that affect Korean data subjects, or (3) maintains a place of business within Korean territory.
In the first case, the PIPA is applicable to an overseas business that offers goods or services to Korean data subjects. Several factors may be assessed to determine the applicability of the PIPA, such as the language used, the currency accepted, and the specific form and approach employed to provide the service. Some additional considerations may also apply.
Secondly, the PIPA may extend to foreign business operators that process Korean data subjects' personal information, even if they do not directly provide goods or services to them, if the data processing has a direct and significant impact on Korean data subjects. For instance, if an overseas business collects Korean data subjects' personal information through a service not specifically targeted towards Koreans, and discloses such information publicly on their website, this is deemed to have a substantial impact on Korean data subjects and necessitates compliance with the PIPA.
Finally, the PIPA may apply to foreign business operators that maintain a place of business within Korea where the personal information of Korean data subjects is processed during the provision of goods or services. For example, if a global service provider explicitly designates its Korean subsidiary as the data controller for Korean data subjects in its privacy policy, the Korean subsidiary falls under the purview of the PIPA. However, if the processing of personal information is unrelated to the activities of the business establishment located in Korea, a different assessment may be made on the applicability of the PIPA.
2. Clarification of some legal requirements introduced in the amended PIPA of 2023
The Guide highlights some of the legal obligations that foreign businesses need to particularly adhere to in light of the major amendment of the PIPA in 2023. These obligations encompass areas such as: • Obtaining consent from legal guardians for children under 14 years of age (Article 22-2) • Adhering to procedures for cross-border data transfers (Article 28-8) • Establishing and disclosing a privacy policy (Article 30) • Prompt notification and reporting of personal information breaches (Article 34) • Upholding data subjects’ rights, including the right to access, modify, delete and request suspension of transmission, among others (Articles 35-38) The Guide explains that overseas businesses, in the same manner as their domestic counterparts, are required to notify the PIPC within 72 hours of becoming aware of a data breach involving Korean data subjects. They must also inform the affected data subjects, and are expected to provide the details of the data breach to the best of their knowledge, even if they are still preliminary, when reporting the incident to the authority.
The Guide further emphasizes that foreign business operators processing personal information of Korean data subjects outside Korea must clearly disclose matters related to such processing in writing, including the country and the name of the entity involved. For example, when an overseas business engages a third party to process personal information of Korean data subjects on their behalf, it must clearly distinguish between "provision” and “consignment” of data to the third party in accordance with the PIPA. Failure to differentiate these activities and collectively labeling them as "sharing" is not acceptable. In addition, foreign business operators are encouraged to enhance the readability of their privacy policy disclosed to Korean data subjects by including all the relevant elements as require by the PIPA.
Lastly, the Guide clarifies that if a foreign business operator with the obligation to designate a “domestic agent” has established a corporation in Korea, it is advisable to designate that specific corporation as the domestic representative. (Article 32-3 of the Presidential Decree of the PIPA sets forth the scope of foreign companies that are required to have a designated domestic agent.)
To facilitate widespread usage of the Guide, the PIPC will make the file available on its official website (pipc.go.kr) and the Privacy Portal (privacy.go.kr). An English version of the guide will be uploaded on the website as well by the end of April.
The PIPC stated, “In today’s digital landscape, online services are reaching users in all corners of the world almost instantly, and as such, the Korean data protection law aims to make sure that domestic and foreign companies play by the same rules. Through this new guideline, we anticipate that foreign businesses will gain a deeper understanding of the legal requirements of the PIPA and enhance their compliance, ultimately contributing to the protection of data privacy of Korean data subjects.”
*A PDF file, formatted for better readability, is attached |