Companies doing business in Korea just received an important wake-up call: Korea is serious about enforcing its strict privacy and data security rules and will not hesitate to hold both organizations and their privacy officers criminally liable for law violations.
Korea is well-known for having some of the strictest privacy and data security rules in the world but the stakes for failing to comply with these rules increased dramatically this month when a Korean court found a company’s privacy officer criminally negligent for his company’s poor security program that resulted in a data breach. Two other companies are facing similar criminal charges; decisions in those cases are expected soon.
Moreover, Korea’s three major data privacy laws, the Personal Information Protection Act (PIPA), Act on the Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”), and Credit Information Use and Protection Act (“Credit Information Act”), were recently amended to introduce important changes, including designating the Personal Information Protection Commission (PIPC) as the central data privacy regulatory authority and transferring the data privacy regulatory functions of the Ministry of the Interior and Safety (MOIS) and the Korean Communications Commission (KCC) to the PIPC. With PIPC’s new and centralized regulatory authority, data privacy enforcement is expected to increase significantly.
On January 6, 2020, a Seoul District Court convicted and fined Hana Tour Service Inc. and its privacy officer for negligence in failing to prevent a 2017 data breach. This is the first time that an individual has been found personally liable for a company’s data breach violations. The company and privacy officer were each fined ₩10 million (approximately USD 8,600); however, the court opted not to impose an eight-month prison sentence on the privacy officer as requested by the Korean Prosecutors’ Office. This case is the first of three criminal cases that have been brought against companies for their failure to take the necessary technical and managerial measures under the Network Act.
The two other court cases currently pending involve Bithumb, a Korean cryptocurrency exchange, and “Good Choice,” a hotel booking app. Both companies and their respective privacy officers are being prosecuted for data breaches resulting from their alleged failure to implement the necessary technical and managerial measures under the Network Act. The Bithumb case involved the compromise of an excel file containing the personal information of approximately 31,000 individuals; the Good Choice case involved hotel reservation information of approximately 910,000 users and the membership information of approximately 78,000 users.
The maximum criminal penalties under either the Network Act or PIPA for failing to implement the necessary technical and managerial measures are imprisonment of up to two years or a fine of up to ₩20 million. In addition, both laws contain joint penalty provisions that impose penalties on both the company and the company’s representative, agent, or employee where the latter violates the laws’ security provisions.
Under PIPA and the Network Act, organizations are required to implement detailed technical, administrative, and physical measures to protect personal data from loss, theft, leakage, alteration, or damage. In particular, organizations must:
On January 9, 2020, the National Assembly approved amendments to PIPA, the Network Act, and the Credit Information Act that are expected to take effect six months from their promulgation date (in late July or early August 2020). These amendments are the most extensive revisions to the Network Act and PIPA since their respective enactments in 2001 and 2011.
In addition to the centralization of the data privacy regulatory functions within the PIPC and the elevation of its administrative status discussed above, other noteworthy changes include: