Companies doing business in Korea just received an important wake-up call: Korea is serious about enforcing its strict privacy and data security rules and will not hesitate to hold both organizations and their privacy officers criminally liable for law violations.
Korea is well-known for having some of the strictest privacy and data security rules in the world but the stakes for failing to comply with these rules increased dramatically this month when a Korean court found a company’s privacy officer criminally negligent for his company’s poor security program that resulted in a data breach. Two other companies are facing similar criminal charges; decisions in those cases are expected soon.
Moreover, Korea’s three major data privacy laws, the Personal Information Protection Act (PIPA), Act on the Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”), and Credit Information Use and Protection Act (“Credit Information Act”), were recently amended to introduce important changes, including designating the Personal Information Protection Commission (PIPC) as the central data privacy regulatory authority and transferring the data privacy regulatory functions of the Ministry of the Interior and Safety (MOIS) and the Korean Communications Commission (KCC) to the PIPC. With PIPC’s new and centralized regulatory authority, data privacy enforcement is expected to increase significantly.
Criminal Cases
On January 6, 2020, a Seoul District Court convicted and fined Hana Tour Service Inc. and its privacy officer for negligence in failing to prevent a 2017 data breach. This is the first time that an individual has been found personally liable for a company’s data breach violations. The company and privacy officer were each fined ₩10 million (approximately USD 8,600); however, the court opted not to impose an eight-month prison sentence on the privacy officer as requested by the Korean Prosecutors’ Office. This case is the first of three criminal cases that have been brought against companies for their failure to take the necessary technical and managerial measures under the Network Act.
The two other court cases currently pending involve Bithumb, a Korean cryptocurrency exchange, and “Good Choice,” a hotel booking app. Both companies and their respective privacy officers are being prosecuted for data breaches resulting from their alleged failure to implement the necessary technical and managerial measures under the Network Act. The Bithumb case involved the compromise of an excel file containing the personal information of approximately 31,000 individuals; the Good Choice case involved hotel reservation information of approximately 910,000 users and the membership information of approximately 78,000 users.
The maximum criminal penalties under either the Network Act or PIPA for failing to implement the necessary technical and managerial measures are imprisonment of up to two years or a fine of up to ₩20 million. In addition, both laws contain joint penalty provisions that impose penalties on both the company and the company’s representative, agent, or employee where the latter violates the laws’ security provisions.
Korea’s Strict Data Security Rules
Under PIPA and the Network Act, organizations are required to implement detailed technical, administrative, and physical measures to protect personal data from loss, theft, leakage, alteration, or damage. In particular, organizations must:
- implement an internal management plan that sets out the details relating to, among other things, the chief privacy officer, data encryption, access controls, storage and inspection of access records, physical security measures, and response plans in case of data breaches;
- encrypt personal identification information, passwords, and biometric information in transit through information communication networks, when delivered through peripheral computer storage media, or at rest (storage), and some exceptions apply;
- impose restrictions on access to personal information and access authorizations (e.g., maintaining access logs/records and taking measures to prevent forging or falsification of such records);
- inspect access log records at least once every six months, and implement a security plan to control the use of auxiliary storage devices such as USB flash drives and external hard drives;
- maintain stringent access controls, including analyzing IP addresses to detect and respond to illegal hacking attempts, and, for those who process unique identification information (e.g., Resident Registration Numbers or RRNs), checking annually for vulnerabilities and taking necessary supplementary measures to ensure this information is not leaked, altered, or damaged through the Internet homepage; and
- install and update data security programs, including physical measures, such as arranging storage facilities for secure storage of personal data or installation of security locks.
Privacy Law Amendments
On January 9, 2020, the National Assembly approved amendments to PIPA, the Network Act, and the Credit Information Act that are expected to take effect six months from their promulgation date (in late July or early August 2020). These amendments are the most extensive revisions to the Network Act and PIPA since their respective enactments in 2001 and 2011.
In addition to the centralization of the data privacy regulatory functions within the PIPC and the elevation of its administrative status discussed above, other noteworthy changes include:
- Definition of Personal Data. Under PIPA, personal information is defined as information by itself that can identify a specific individual or information that can be easily combined with any other information to identify a specific individual. The amended PIPA clarifies that, in determining whether or not information can be easily combined with other information, factors such as the time, cost, and technology required to obtain the other information needed must be reasonably considered.
- Anonymized Data. The amended PIPA clarifies that the law does not apply to anonymized data: information that cannot identify a specific individual, even if combined with other information, after reasonably taking into account factors such as the time, cost, and technology required to obtain the other information.
- Pseudonymized Data. The amended PIPA provides a definition of pseudonymized data (personal information which has gone through full or partial deletion or substitution such that it can no longer identify an individual without other information) and permits organizations to process such data without the individual’s consent for statistical, scientific research, and public record preservation purposes only. Such data may also be transferred to third parties without the individual’s consent, provided the data are not accompanied by information that can be used to identify a specific individual.
- Legal Bases for Collection and Use. The amended PIPA loosens the rules to permit use and disclosure of personal information without consent, provided such use or disclosure is reasonably related to the original purpose of collection. Further details will be set forth in a future presidential decree.
- Privacy Provisions of the Network Act. The data privacy provisions in the Network Act have been removed and transferred to the PIPA. As a result, the processing of personal data by information and communications service providers will now be regulated under the PIPA. The existing regulatory regime for these providers remains unchanged with one key exception: user consent will not be required to outsource processing and storage of personal data. Under the existing PIPA provisions, consent is not required to outsource such processing provided individuals are given notices that contain all of the legally prescribed information on outsourcing activities.
- Credit Information Act Amendments. The scope of the Credit Information Act, which previously applied to financial institutions only, has been expanded to cover non-financial institutions with respect to their commercial transactions involving credit information. In addition, the PIPC, rather than the Financial Services Commission and the Financial Supervisory Service (the agencies responsible for enforcement of the Credit Information Act) now has the authority to request information, investigate, conduct onsite investigations, and impose corrective orders and fines against non-financial institutions.