Published July 15, 2021.
South Korea’s wide-ranging Personal Information Protection Act (PIPA) was passed on September 30, 2011, making the country one the world’s strictest privacy regimes.
Like many other comprehensive data privacy laws, its purpose is to protect the privacy rights of the data subject and it applies to most organisations, including government entities. Not only is it strict and very applicable, but the penalties for breaking the PIPA are being enforced devotedly. Penalties include everything from fines to imprisonment.
PIPA in South Korea, quick summary
Personal Information Protection Act Korea, condensed
South Korea’s Personal Information Protection Act (PIPA) was passed in September 2011 and became one of the strictest data privacy laws in the world.
Just like it is the case with many other data privacy laws, the purpose of the PIPA in South Korea is to protect the privacy rights of the data subject. This protection applies to most organisations, including government entities. This is one of the reasons why it is so comprehensive.
The PIPA in South Korea provides very prescriptive and specific requirements throughout the lifecycle of the handling of personal data. This includes requirements like prior notification, opt-in consent and heavy sanctions prescribed by law, which makes it one of the strictest data protection laws in the world.
Regarding the scope of application, the South Korean PIPA is applicable to a data handler. In the South Korean PIPA, a data handler in considered to be a person that, by itself or through a third party, handles personal data to make use of any operation on a personal data file in the course of its business activities.
It doesn’t matter if the person is an individual, public agency, organisation or juridical person, and personal data means data that is systematically organised in accordance with certain rules for easy search or use of such personal data.
‘Handling of personal data’ is defined in the South Korea Personal Information Protection Act as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.
The PIPA in South Korea differs from the GDPR by not demanding explicit, written consent from the data subject.
The PIPA in South Korea specifies that when obtaining consent from the data subjects, the personal information processor needs to notify the data subjects of the fact by separating the matters requiring consent from the ones who does not require consent. Additionally, you are expected to help the data subject with recognising it explicitly.
This means that when obtaining consent for processing reasons, the personal information that requires consent needs to be segregated from the personal information not requiring consent. Therefore, the personal information processor should not deny goods and services because the data subjects did not consent to specific processing.
Lastly, while the territorial scope is not specified in the law, it is worth noticing that the standard for enforcement of South Korea’s data privacy law is similar to the EU’s GDPR
This means, that companies established in South Korea are subject to the law, while foreign companies that target South Korean users are likely to be affected by the law as well.
PIPA in Korea – timeline
- The Pipa in South Korea went into effect in September 2011
- On April 7, 2017, the Supreme Court of Korea invalidated the consent from data subjects in a case where the defendant had asked for consent in a way that made it difficult for the data subject to know what they had consented to. It was difficult because the defendant had written the formalities in a font size of 1mm.
- On May 3, 2019, the Seoul High Court ruled that provision of sensitive personal information to third parties without consent was a violation of the PIPA. The high court noted that if the data was to be de-identified in a way that made it impossible to identify specific individuals, the provision would not be considered a violation of the PIPA.
- The National Assembly in South Korea passed several amendments to the PIPA Korea on February 4, 2020.
- These amendments, which included revised definitions for pseudonymous and anonymous processing, restrictions and penalties and associated requirements, entered into effect on august 5 2020.
- On March 30, 2021, adequacy talks were concluded between South Korea and the EU, with the effect being that personal data could potentially flow from the EU (And Norway, Liechtenstein and Iceland) to South Korea without any further safeguard being necessary. In other words, transfers to South Korea will be assimilated to intra-EU transmissions of data if passed.
- • In June 2021 the EU launched the process towards adoption of the South Korea adequacy decision. The process will cover transfers of personal data to South Korea’s commercial operators as well as public authorities.
PIPA in Korea – quick breakdown
- South Korea’s PIPA has like many other major data privacy laws the purpose of protecting the privacy rights of the data subject.
- South Korea’s PIPA applies to most organisations, including government entities, consequently making it very comprehensive.
- The penalties for breaking the PIPA are being enforced enthusiastically. They include everything from fines to imprisonment.
- The law consists of a general law accompanied with several special laws which pertain to specific industry sectors.
- The PIPA specifies very regulatory and detailed obligations throughout the lifecycle of the handling of personal data. This includes obligations like prior notification, opt-in consent and heavy sanctions prescribed by law. This among other things makes it one of the strictest data protection laws in the world.
- The PIPA is applicable to a data handler. A data handler in the South Korean PIPA is a person that by itself or through a third party handles personal data with the purpose of making use of any operation on a personal data file in the course of its business activities. The PIPA does not distinguish between the person being a public agency, organisation, an individual or juridical person.
- Personal data means data that is systematically organised pursuant to certain rules for easy search or use of such personal data.
- The PIPA does not demand explicit written consent, like the EU’s GDPR for example. Instead, it varies between some personal information needing consent and other not requiring consent. However, consent is not explicitly defined in the PIPA.
- Territorial scope is not specified in the law, but the standard for enforcement of South Korean law is similar to the EU’s GDPR, meaning that companies established in South Korea are subject to the law.
- Extra territorial scope is also not specified in the law, but foreign companies that target South Korean users are likely to be affected by the law.
PIPA South Korea compliance with Cookiebot CMP
Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.
This guarantees you that your website complies with all the main data privacy laws around the world. This includes South Korea’s PIPA, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and California’s CCPA.
Even though the South Korean PIPA does not ask for a consent as explicit as other data privacy laws ask for from its’ users, it is still a good idea to make sure that your users know what they consent to.
Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.
For that reason, among others, Cookiebot CMP is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.
What is Cookiebot CMP?
You might wonder, what is Cookiebot CMP? Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete PIPA compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.
Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shared end-user data with.
Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.
Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the PIPA in South Korea along with many other data privacy regulations around the world.
PIPA – South Korea’s Personal Information Protection Act, in detail
Hopefully you’ve now gotten a quick overview of the South Korean PIPA, and what it means to you and your website.
If you’re looking for a more detailed breakdown, read on as we go look up close at South Korea’s data privacy law’s key characteristics.
Scope of application of the PIPA in Korea
When it comes to the scope of application, the PIPA in South Korea is applicable to a data handler.
In South Korea’s PIPA, a data handler is considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.
South Korea’s PIPA does not differentiate between the data handler being an individual, a public agency, a juridical person or an organisation.
You might wonder, what is a personal data file? And what does it mean ‘to handle personal data’?
First of all, a personal data file is a collection of data that has systematically been organised in accordance with certain rules to make it easily accessible, either if you are searching for it or using it (personal data will be explained more thoroughly later on in the blog post).
Handling of personal data, on the other hand, is defined in South Korea’s PIPA as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing”.
The PIPC’s responsibilities
The Personal Information Protection Commission (PIPC) is in their own words the central administrative body with the primary task of protecting and supervising personal information.
In their mission statement they present three primary tasks, which include:
- Solid protection of personal information
- Safe use of personal information while increasing its value
- Fair balance between protection and use.
The PIPC is accompanied by the KCC, the FSC and the Korea Internet & Security Agency. The PIPC, however, are the ones in charge of enforcing South Korea’s PIPA, which is why we will only focus on them at this point.
The main powers of the PIPC include:
- Enforcing the PIPA in South Korea
- Shaping data protection policy
- Evaluating the improvement of laws and the associated administrative measures relating to protecting the personal information
- Addressing matters regarding formal clarifications, and
- Imposing administrative fines, penalties, corrective orders and other administrative sanctions, when needed.
PIPA South Korea – key definitions
South Korea’s Personal Information Protection Act (PIPA) operates with a set of key definitions, like many of the data privacy laws around the world that it resembles. They are important to familiarize yourself with to get the full understanding of the PIPA.
The five key definitions of South Korea’s PIPA are –
- Personal Data
- Sensitive data
- Data controller
- Data processor
- Anonymized information
Personal Data is defined in South Korea’s PIPA as data that can be related to a living natural person. Its definition of personal data is very broad, resulting in three subcategories of personal data:
- Data that identifies a particular individual by their name, image or resident registration number.
- Data that might not by itself identify a particular individual but can easily be combined with other information to identify the particular individual. To consider whether or not the information can be classified as ‘easily combined’ you need to consider the cost, technology and time it takes to identify the individual.
- Data that is information as mentioned above which can be pseudonymized and thereby become unqualified of recognizing a particular individual without the use or combination of extra information for reinstatement to its original state.
Sensitive data is personal information regarding an individual’s faith, health, sexual orientation, genetic information, criminal records, political views, ideology and so on. It is information that could potentially cause a material breach of privacy.
A Data controller, or data handler, is a ‘public institution, corporate body, organization or individual, who handles the data by, collecting, generating, connecting, interlocking, recording, storing, retaining, processing, editing, searching, outputting, correcting, restoring, using, providing, disclosing, destroying or otherwise handling personal data’. The concept of a data controller under the PIPA is very similar to the concept under the GDPR.
A Data processor is someone who process personal data and personal information. The data processor is often a third party, since the data controller often outsource this job.
Anonymized information is any information which cannot be used to identify a specific individual. This includes instances where the information is combined with other information and is not subject to the PIPA.
Rights and responsibilities
As mentioned above, we differentiate between a data processor and a data controller. The responsibilities they have and the rights they possess will be explained in detail here.
The data controller has a number of obligations under the PIPA in South Korea. These obligations include handling personal data in a way that minimizes any potential infringement upon the privacy of data subjects and anonymizing or pseudonymizing the data before processing.
More specifically, data controllers must maintain the security of personal data, while taking into account the risk of a breach of the data subjects’ privacy.
Data controllers are required to take the technical, physical and administrative actions required to ensure the security of personal data.
Data controllers also need to provide notice whenever they process personal data. The consent for a provision must be obtained separately from the consent for the collection and use of personal data, while consent for sensitive data must be obtained separately from each other as well.
There are only a few exceptions to the above-mentioned requirements under South Korean law, but in accordance with the 2020 amendments, personal data may be used without the data subject’s consent.
This only applies when it is within the scope reasonably related to the original purpose of the collection. These are some of the things Cookiebot CMP can help you take care of.
Since data processors regularly are treated in the same way as data controllers, they will, commonly, be subject to the same legal responsibilities as those related to data handlers.
In a case where an outsourced service provider function as a data processor and violates the PIPA in South Korea, the data processor will be deemed as an employee of the data controller. In that case, the data controller will have vicarious liability, meaning they are being held partly responsible for the unlawful actions of the outsources service provider.
The data subjects have some rights. They can exercise their rights of access, correction, suspension of use and removal of their personal data.
Regarding this, the PIPA also possesses prescriptive rules for the procedure with the purpose of ensuring data subject’s exercise of the before mentioned rights.
The penalties for breaching South Korea’s Personal Information Protection Act (PIPA) vary.
You could face various administrative sanctions such as corrective orders, fines and penalty surcharges. Also, public prosecutors may investigate any violations which are also subject to criminal punishment. Finally, data handlers could potentially become civilly liable to data subjects who suffer damages as a result of the violations of the data handler.
South Korea’s PIPA vs GDPR
South Korea’s Personal Information Protection Act (PIPA) and the EU’s General Data Protection Regulation (GDPR) are similar and different in a number of ways, e.g. key requirements and how they view data privacy.
- Under South Korea’s PIPA, employers are required to appoint a data protection officer (DPO) among the employees that are authorized to be one. This could be executives or company representatives. The EU’s GDPR on the other hand allows for external DPOs or joint DPOs.
- • South Korea’s PIPA guarantees data subjects the right of access, right to deletion and right to correction. The EU’s GDPR also gives the data subject those rights, but in addition to it, it prescribes the right to limit personal information processing, the right to be deleted from storage, the right to refuse profiling and lastly, the right to transfer personal information to other companies.
- • South Korea’s PIPA requires a company to obtain agreement from data subject before it is allowed to transfer personal information to a location outside of its legal jurisdiction. The EU’s GDPR is not that strict, as it allows for the transfer of personal data to an overseas country without the data subject’s approval, if there is an adequacy decision or appropriate safeguards. However, personal data processing always needs explicit end-user consent.
- Regarding detailed procedures, PIPA in South Korea requires only public institutions to get an impact assessment, while the EU’s GDPR also requires you to get private companies that handle large-scale information an impact assessment as well.
- When it comes to personal information data breaches, South Korea’s PIPA requires a company to inform data subjects about the leakage before you notify the relevant authority. Under the EU’s GDPR it is the other way around; a company needs to notify the relevant authority first and then notify the data subjects.
- Lastly, under South Korea’s PIPA a company can be fined up to about 40.000 euros, while the EU’s GDPR can fine you up to 20 million euro.
South Korea’s EU adequacy decision
As mentioned in the section above, the EU’s GDPR allows for transfer of personal information to an overseas country without the data subject’s approval, if there is an adequacy decision or appropriate safeguards.
Adequacy means, under the GDPR, that a non-EU country ensures a level of personal data protection equivalent to that of the EU itself.
In January 2017, the EU launched a dialogue with South Korea with the goal of reaching an adequacy decision, ensuring a free flow of data between the two. Such a decision would complement the Free Trade Agreement in place since July 2011.
In March 2021, the EU and South Korea concluded the adequacy talks with the two parties showing a high degree of convergence in the area of data protection. The amendments to South Korea’s PIPA and the strengthening of the powers of the Personal Information Protection Commission greatly influenced the outcome.
In June 2021, the EU launched the process towards adoption of the adequacy decision. The process will cover transfers of personal data to South Korea’s commercial operators as well as public authorities.
The benefits of this adequacy decision, if adopted, is that it would provide Europeans with a strong protection of their personal data when transferred to South Korea, while at the same time boosting cooperation between the two leading digital powers.
The European Commission is currently awaiting the opinion of the European Data Protection Board (EDPB), while seeking approval from a committee composed of representatives of the EU member states. Once these two steps have been completed, the EU can proceed to adopt South Korea’s adequacy decision.
Summary of PIPA, South Korea’s Personal Information Protection Act (PIPA)
South Korea’s Personal Information Protection Act (PIPA) is one of the world’s many data privacy laws. Not unlike many other data privacy laws its purpose is to protect the privacy rights of the data subject, while at the same making sure that entities like companies or organisations do not abuse the data they receive about their users.
South Korea’s PIPA was first approved in March 2011, went into effect in September 2011 and has since been amended. In 2021 talks about adequacy with the EU’s GDPR concluded and are currently awaiting adoption.
Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including South Korea’s PIPA.
What is South Korea’s PIPA?
The South Korean Personal Information Protection Act (PIPA) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy right of the data subject. By making sure that companies or organizations do not abuse data about their users, the PIPA helps ensure that this works successfully.
How can my website be in compliance with South Korea’s PIPA?
Even though it is not stated explicitly in the law, if you want to comply with South Korea’s PIPA on your website it is a good idea to get consent from your South Korean users before processing any of their personal data.
Additionally, it would be a good idea to notify them about what you collect, what it is going to be used for and who you share it with, while enabling them to access their personal data.
Who does South Korea’s PIPA apply to?
The PIPA is applicable to a data handler. In the PIPA a data handler in considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.
It doesn’t matter if the person is an individual, public agency, organization or juridical person.
What is the timeline for South Korea to obtain adequacy status in the EU?
There is no clear timeline yet. The European Commission is now waiting for the opinion of the EDPB and will seek the approval from a committee composed of representatives of the EU Member States. Only once these two steps are completed, the Commission will be able to proceed to adopt the adequacy decision.
What is the penalty for breaching the South Korean PIPA?
There are different penalties for breaching the South Korean PIPA. These include administrative sanctions such as fines, penalty surcharges or corrective orders.
Additionally, if data subjects suffer damages as a result of the violations of a data handler, the latter could become civilly liable.
How can I scan my website for cookies and trackers?
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.