Published July 15, 2021.
South Korea’s wide-ranging Personal Information Protection Act (PIPA) was passed on September 30, 2011, making the country one the world’s strictest privacy regimes.
Like many other comprehensive data privacy laws, its purpose is to protect the privacy rights of the data subject and it applies to most organisations, including government entities. Not only is it strict and very applicable, but the penalties for breaking the PIPA are being enforced devotedly. Penalties include everything from fines to imprisonment.
South Korea’s Personal Information Protection Act (PIPA) was passed in September 2011 and became one of the strictest data privacy laws in the world.
Just like it is the case with many other data privacy laws, the purpose of the PIPA in South Korea is to protect the privacy rights of the data subject. This protection applies to most organisations, including government entities. This is one of the reasons why it is so comprehensive.
The PIPA in South Korea provides very prescriptive and specific requirements throughout the lifecycle of the handling of personal data. This includes requirements like prior notification, opt-in consent and heavy sanctions prescribed by law, which makes it one of the strictest data protection laws in the world.
Regarding the scope of application, the South Korean PIPA is applicable to a data handler. In the South Korean PIPA, a data handler in considered to be a person that, by itself or through a third party, handles personal data to make use of any operation on a personal data file in the course of its business activities.
It doesn’t matter if the person is an individual, public agency, organisation or juridical person, and personal data means data that is systematically organised in accordance with certain rules for easy search or use of such personal data.
‘Handling of personal data’ is defined in the South Korea Personal Information Protection Act as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing.
The PIPA in South Korea differs from the GDPR by not demanding explicit, written consent from the data subject.
The PIPA in South Korea specifies that when obtaining consent from the data subjects, the personal information processor needs to notify the data subjects of the fact by separating the matters requiring consent from the ones who does not require consent. Additionally, you are expected to help the data subject with recognising it explicitly.
This means that when obtaining consent for processing reasons, the personal information that requires consent needs to be segregated from the personal information not requiring consent. Therefore, the personal information processor should not deny goods and services because the data subjects did not consent to specific processing.
Lastly, while the territorial scope is not specified in the law, it is worth noticing that the standard for enforcement of South Korea’s data privacy law is similar to the EU’s GDPR
This means, that companies established in South Korea are subject to the law, while foreign companies that target South Korean users are likely to be affected by the law as well.
The PIPA in South Korea is very comprehensive due to it applying to most organisations including government entities.
Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.
This guarantees you that your website complies with all the main data privacy laws around the world. This includes South Korea’s PIPA, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and California’s CCPA.
Even though the South Korean PIPA does not ask for a consent as explicit as other data privacy laws ask for from its’ users, it is still a good idea to make sure that your users know what they consent to.
Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.
For that reason, among others, Cookiebot CMP is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.
Consent is not an explicit requirement under the South Korean PIPA, but Cookiebot CMP will provide you with an optimal solution for making your website compliant
You might wonder, what is Cookiebot CMP? Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete PIPA compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.
Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shared end-user data with.
Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.
Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the PIPA in South Korea along with many other data privacy regulations around the world.
Consent banner by Cookiebot CMP for PIPA compliance in South Korea
Hopefully you’ve now gotten a quick overview of the South Korean PIPA, and what it means to you and your website.
If you’re looking for a more detailed breakdown, read on as we go look up close at South Korea’s data privacy law’s key characteristics.
When it comes to the scope of application, the PIPA in South Korea is applicable to a data handler.
In South Korea’s PIPA, a data handler is considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.
South Korea’s PIPA does not differentiate between the data handler being an individual, a public agency, a juridical person or an organisation.
You might wonder, what is a personal data file? And what does it mean ‘to handle personal data’?
First of all, a personal data file is a collection of data that has systematically been organised in accordance with certain rules to make it easily accessible, either if you are searching for it or using it (personal data will be explained more thoroughly later on in the blog post).
Handling of personal data, on the other hand, is defined in South Korea’s PIPA as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing”.
The South Korean PIPA is applicable to a data handler.
The Personal Information Protection Commission (PIPC) is in their own words the central administrative body with the primary task of protecting and supervising personal information.
In their mission statement they present three primary tasks, which include:
The PIPC is accompanied by the KCC, the FSC and the Korea Internet & Security Agency. The PIPC, however, are the ones in charge of enforcing South Korea’s PIPA, which is why we will only focus on them at this point.
The main powers of the PIPC include:
South Korea’s Personal Information Protection Act (PIPA) operates with a set of key definitions, like many of the data privacy laws around the world that it resembles. They are important to familiarize yourself with to get the full understanding of the PIPA.
The five key definitions of South Korea’s PIPA are –
Personal Data is defined in South Korea’s PIPA as data that can be related to a living natural person. Its definition of personal data is very broad, resulting in three subcategories of personal data:
Sensitive data is personal information regarding an individual’s faith, health, sexual orientation, genetic information, criminal records, political views, ideology and so on. It is information that could potentially cause a material breach of privacy.
A Data controller, or data handler, is a ‘public institution, corporate body, organization or individual, who handles the data by, collecting, generating, connecting, interlocking, recording, storing, retaining, processing, editing, searching, outputting, correcting, restoring, using, providing, disclosing, destroying or otherwise handling personal data’. The concept of a data controller under the PIPA is very similar to the concept under the GDPR.
A Data processor is someone who process personal data and personal information. The data processor is often a third party, since the data controller often outsource this job.
Anonymized information is any information which cannot be used to identify a specific individual. This includes instances where the information is combined with other information and is not subject to the PIPA.
Data can come in many forms and shapes, but the PIPA South Korea has them alle covered
As mentioned above, we differentiate between a data processor and a data controller. The responsibilities they have and the rights they possess will be explained in detail here.
The data controller has a number of obligations under the PIPA in South Korea. These obligations include handling personal data in a way that minimizes any potential infringement upon the privacy of data subjects and anonymizing or pseudonymizing the data before processing.
More specifically, data controllers must maintain the security of personal data, while taking into account the risk of a breach of the data subjects’ privacy.
Data controllers are required to take the technical, physical and administrative actions required to ensure the security of personal data.
Data controllers also need to provide notice whenever they process personal data. The consent for a provision must be obtained separately from the consent for the collection and use of personal data, while consent for sensitive data must be obtained separately from each other as well.
There are only a few exceptions to the above-mentioned requirements under South Korean law, but in accordance with the 2020 amendments, personal data may be used without the data subject’s consent.
This only applies when it is within the scope reasonably related to the original purpose of the collection. These are some of the things Cookiebot CMP can help you take care of.
Since data processors regularly are treated in the same way as data controllers, they will, commonly, be subject to the same legal responsibilities as those related to data handlers.
In a case where an outsourced service provider function as a data processor and violates the PIPA in South Korea, the data processor will be deemed as an employee of the data controller. In that case, the data controller will have vicarious liability, meaning they are being held partly responsible for the unlawful actions of the outsources service provider.
The data subjects have some rights. They can exercise their rights of access, correction, suspension of use and removal of their personal data.
Regarding this, the PIPA also possesses prescriptive rules for the procedure with the purpose of ensuring data subject’s exercise of the before mentioned rights.
The penalties for breaching South Korea’s Personal Information Protection Act (PIPA) vary.
You could face various administrative sanctions such as corrective orders, fines and penalty surcharges. Also, public prosecutors may investigate any violations which are also subject to criminal punishment. Finally, data handlers could potentially become civilly liable to data subjects who suffer damages as a result of the violations of the data handler.
South Korea’s Personal Information Protection Act (PIPA) and the EU’s General Data Protection Regulation (GDPR) are similar and different in a number of ways, e.g. key requirements and how they view data privacy.
EU and South Korea share a lot of similarities, but also differ in a number of ways
As mentioned in the section above, the EU’s GDPR allows for transfer of personal information to an overseas country without the data subject’s approval, if there is an adequacy decision or appropriate safeguards.
Adequacy means, under the GDPR, that a non-EU country ensures a level of personal data protection equivalent to that of the EU itself.
In January 2017, the EU launched a dialogue with South Korea with the goal of reaching an adequacy decision, ensuring a free flow of data between the two. Such a decision would complement the Free Trade Agreement in place since July 2011.
In March 2021, the EU and South Korea concluded the adequacy talks with the two parties showing a high degree of convergence in the area of data protection. The amendments to South Korea’s PIPA and the strengthening of the powers of the Personal Information Protection Commission greatly influenced the outcome.
In June 2021, the EU launched the process towards adoption of the adequacy decision. The process will cover transfers of personal data to South Korea’s commercial operators as well as public authorities.
The benefits of this adequacy decision, if adopted, is that it would provide Europeans with a strong protection of their personal data when transferred to South Korea, while at the same time boosting cooperation between the two leading digital powers.
The European Commission is currently awaiting the opinion of the European Data Protection Board (EDPB), while seeking approval from a committee composed of representatives of the EU member states. Once these two steps have been completed, the EU can proceed to adopt South Korea’s adequacy decision.
South Korea’s Personal Information Protection Act (PIPA) is one of the world’s many data privacy laws. Not unlike many other data privacy laws its purpose is to protect the privacy rights of the data subject, while at the same making sure that entities like companies or organisations do not abuse the data they receive about their users.
South Korea’s PIPA was first approved in March 2011, went into effect in September 2011 and has since been amended. In 2021 talks about adequacy with the EU’s GDPR concluded and are currently awaiting adoption.
Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including South Korea’s PIPA.
The South Korean Personal Information Protection Act (PIPA) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy right of the data subject. By making sure that companies or organizations do not abuse data about their users, the PIPA helps ensure that this works successfully.
Even though it is not stated explicitly in the law, if you want to comply with South Korea’s PIPA on your website it is a good idea to get consent from your South Korean users before processing any of their personal data.
Additionally, it would be a good idea to notify them about what you collect, what it is going to be used for and who you share it with, while enabling them to access their personal data.
The PIPA is applicable to a data handler. In the PIPA a data handler in considered to be a person that by itself or through a third party handles personal data to make use of any operation on a personal data file in the course of its business activities.
It doesn’t matter if the person is an individual, public agency, organization or juridical person.
There is no clear timeline yet. The European Commission is now waiting for the opinion of the EDPB and will seek the approval from a committee composed of representatives of the EU Member States. Only once these two steps are completed, the Commission will be able to proceed to adopt the adequacy decision.
There are different penalties for breaching the South Korean PIPA. These include administrative sanctions such as fines, penalty surcharges or corrective orders.
Additionally, if data subjects suffer damages as a result of the violations of a data handler, the latter could become civilly liable.
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.