For foreign companies engaging with the South Korean market, understanding and complying with the Korean Personal Information Protection Act (PIPA) is essential. PIPA sets stringent requirements for the handling of personal information, aiming to safeguard individuals’ data privacy. To provide clarity and direction, the Personal Information Protection Commission of Korea (PIPC) has released the “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” (the Guidelines). This article will explore the core principles of PIPA, delve into these specific guidelines, and offer actionable insights for foreign businesses striving to achieve compliance in South Korea.
When does PIPA Apply to My Business?
PIPA applies to foreign business operators when they provide goods or services globally (including Korea) or process personal information overseas that substantially affects Korean data subjects. Let’s examine the criteria for this in more detail.
1. You Offer Products or Services in the Republic of Korea
The indicators below can be used to determine whether an organization is providing goods or services to data subjects in Korea:
- Specifying South Korea as a supported country.Example: An international online retailer lists South Korea as one of the countries they ship to or for which they provide services.
- Using a Korean domain (.kr) or a separate domain for Korea.Example: A global fashion brand uses “brandname.kr” for its Korean website, indicating a service targeted to Korean consumers.
- Launching services in a Korean app store or providing services only in Korean.Example: A foreign mobile game developer releases its game in the Korean Google Play Store.
- Collecting personal information that identifies the nationality or address as Korean.Example: An international job portal collects applicant data including nationality and address, and has fields specifically for Korean addresses and nationalities.
- Providing customer support in Korean or targeting Korean data subjects in advertising.Example: A foreign technology company runs advertisements in Korean targeting Korean consumers.
2. Your Data Processing Impacts Data Subjects in the Republic of Korea
Even if goods or services are not provided directly to Korean data subjects, foreign business operators must comply with the PIPA if their processing of personal information has a direct and substantial impact on those data subjects. Examples include:
- Collecting and sharing personal information of Korean data subjects.
- Processing personal information while providing services to Korean business operators or through entrustment relationships with Korean businesses.
Example: If a foreign data analytics company processes personal data of Korean users for targeted marketing it must adhere to PIPA regulations.
3. Your Place of Business is Located within the Republic of Korea
Foreign business operators with a business presence in Korea must comply with PIPA. This includes:
- Corporations, individual offices, liaison offices, and business establishments processing personal information in Korea.
- Korean entities identified as the personal information controller for Korean data subjects.
Example: If a foreign tech company with a branch office in Seoul handles customer data, it must comply with PIPA.
Key PIPA Requirements
1. Notification and Reporting of Divulgence of Personal Information
Divulgence is akin to a data breach and refers to instances where personal information becomes accessible by an unauthorized third party due to loss, theft, or voluntary will of the personal information controller without valid legal grounds. This includes scenarios such as:
- Loss or theft of documents, portable storage devices, or laptops containing personal information.
- Unauthorized access to personal information systems or work computers.
- Mistakenly posting files containing personal information on the internet or sending emails with personal information to unintended recipients.
Example: A foreign company experiences a cyber attack where hackers gain unauthorized access to its database containing personal information of Korean users. The company must notify affected users and report the incident to PIPC.
Reporting RequirementsUpon discovering a divulgence of personal information, an organization must take the following actions:
- Inform affected data subjects within 72 hours.
- Report to the PIPC or the Korea Internet & Security Agency (KISA) within 72 hours if the divulgence involves:
- Personal information of 1,000 or more individuals.
- Sensitive or personally identifiable information.
- Unlawful external access.
Example: A foreign financial service provider experiences a data breach affecting 20,000 Korean users. They must report the breach to PIPC and KISA within 72 hours and inform the affected individuals.
Reporting ProcedureReports can be filed through KISA’s Privacy Portal or by submitting a report form via email ([email protected]). If reporting within 72 hours is infeasible due to uncontrollable circumstances, the report should be made once those circumstances are resolved.
ExceptionsIf personal information was inadvertently sent to an unauthorized employee and they are instructed to delete it or safety measures are implemented, this might not be considered divulgence. Further, if unauthorized access to a system did not result in viewing or accessing of information, it might not constitute divulgence.
2. Publication of a Privacy Policy
The privacy policy must be written in Korean and specifically formulated to comply with PIPA. It should include:- Distinction between third-party provision and outsourcing of personal information processing.
- Clear indication of key aspects using symbols or other means.
- Separate disclosure of cross-border transfer details, if feasible.
Example: If a foreign online retailer markets goods to people in South Korea, it must provide a privacy policy in Korean that clearly explains how personal data is collected, used, and protected, distinguishing between third-party data sharing and outsourced processing.
Transparency and AccessibilityThe privacy policy must be easily recognizable and accessible, labeled clearly as “Privacy Policy.” Prior versions should remain accessible, and changes should be highlighted for easy understanding.
Consolidation of InformationIf disclosing additional Korean-specific provisions, they should be consolidated on a single web page. Links should be regularly maintained and easily accessible in Korean.
3. Data Subject Rights
Data subjects have the right to:
- Access their personal information.
- Request correction, erasure, or suspension of processing.
- Withdraw consent.
Mechanisms to exercise these rights must be as accessible as those for the collection of personal information and must be handled within ten business days. Denial of such requests must be justified, and data subjects must be informed of the reasons and how to object.
Foreign business operators must prepare procedures for Korean data subjects to exercise their rights, provide guidance in Korean, and offer accessible means such as email or phone.
4. Legal Representatives of Children under 14
When processing personal information of children under 14, consent from legal representatives is mandatory. Operators should confirm the age of data subjects and use identification services provided by designated agencies.
5. Cross-Border Transfer
Cross-border transfer of personal information is allowed if:
- Separate consent is obtained from the data subject.
- Governed by statutes, international treaties, or necessary for contract performance.
- The recipient of personal information is certified by the PIPC.
- Recognized by the PIPC as having an adequate level of protection.
Example: A foreign company transferring Korean employees’ personal data to its headquarters abroad must comply with PIPA’s cross-border data transfer requirements.
Compliance and SuspensionThe PIPC can order to suspend cross-border transfers if conditions are not met or if prescribed protection measures are not established.
6. Coverage of Liabilities for Damages
Foreign business operators must take necessary measures to meet potential liabilities for damages, such as purchasing insurance or setting aside reserves. This applies to both headquarters and branches providing services to Korean data subjects.
Example: If a foreign fintech company provides services to the Korean market, it must have insurance or set aside reserves to cover potential damages from data breaches affecting Korean users.
7. Dispute Mediation for Personal Information
Foreign business operators must participate in dispute mediation if requested by the Dispute Mediation Committee. They must provide necessary materials and may have to appear before the Committee.
8. Entrustment of Personal Information Processing
The provision of personal information to a third party for the transferee’s interests is different from entrustment for the transferor’s interests. Operators must have a valid legal basis for providing personal information to a third party and ensure secure processing by the entrusted party.
Example: A foreign SaaS provider must ensure that any third-party processors handling Korean data comply with PIPA standards.
9. Domestic Agent
Foreign business operators with no address or place of business in Korea must designate a domestic agent if their sales or volume of personal information retained exceed certain thresholds. The agent must be able to communicate in Korean and handle domestic complaints.
Example: A foreign e-commerce company without an office in Korea must designate a local agent to handle privacy-related issues and complaints.
10. Investigation and Preliminary Fact-Finding Inspections
The PIPC may investigate foreign business operators for violations of PIPA, request relevant materials, and conduct on-site inspections. Operators must designate a person-in-charge capable of responding to investigations. Further, they must provide, in Korean, such documents as may be requested by PIPC.
Example: A foreign cybersecurity firm operating in Korea must have a designated compliance officer ready to cooperate with PIPC investigations and provide documentation in Korean.
11. Corrective Measures and Penalty Surcharges
The PIPC can order corrective measures, impose penalty surcharges up to 3% of total sales, or make criminal referrals. For effectiveness, measures such as blocking access to services or cooperation with internet service providers may be employed.
Example: A foreign e-commerce platform found violating PIPA may face fines and corrective orders, and access to its services in Korea may be blocked until compliance is achieved.
Examples of Enforcement
The following examples illustrate potential violations and the subsequent consequences that could be faced by companies failing to comply with PIPA’s requirements.
- Personal Information Leakage: Penalties for breaches of security measures and failure to notify and report leaks.Example: A foreign online retailer experienced a data breach but failed to notify Korean users in time, leading to substantial penalties and mandatory security upgrades.
- Consent Violations by Advertising Platforms: Fines for collecting behavioral information without user consent.Example: An ad-tech company collected and used Korean users’ behavioral data for targeted advertising without obtaining explicit consent, resulting in fines and required policy changes.
- Investigation of Overseas Map Service Provider: Fines for collecting unencrypted personal information via Wi-Fi.Example: A foreign map service provider collected unencrypted Wi-Fi data from Korean users without consent, leading to hefty fines and mandatory data protection measures.
- Unauthorized Collection by Caller ID App: Fines for collecting personal information without consent.Example: A caller ID app collected contact information from Korean users’ address books without proper consent, resulting in fines and required corrective actions.
Key Takeaways
Foreign business operators must comply with PIPA when providing goods or services to Korean data subjects, processing personal information impacting Korean individuals, or maintaining a business presence in Korea. Adherence to PIPA is essential for protecting personal information and upholding the rights of data subjects as mandated by Korean law. Ensuring compliance with these guidelines not only safeguards the personal information of Korean data subjects but also enhances trust and credibility in the Korean market.
At VeraSafe, we specialize in guiding businesses through the complexities of international data protection laws. Our comprehensive services ensure your business remains compliant, protecting personal information globally. Partner with VeraSafe to navigate the intricacies of PIPA and other worldwide privacy regulations and unlock new business opportunities with confidence and security.
You may also like:
A Guide to China’s Standard Contractual Clauses
DPO Roles in the Philippines: Can an External DPO Be Appointed?
The Brazilian Data Protection Regulation
Related topics: PIPA, Other Privacy Laws, Compliance Tools and Advice