TELECOMMUNICATIONS, MEDIA & TECHNOLOGY
Comprehensive personal data protection law enacted
Korea has passed a comprehensive law for protection of personal information, extending confidentiality requirements across a broad spectrum of information handling. The long-awaited Personal Information Protection Act (PIPA) was promulgated on March 29, 2011. Whereas existing data protection statutes are limited in the entities and types of information they cover, the new law will broadly restrict collection and handling of any private information, by any person, company or government agency. Generally the individual’'s informed consent will be required for any collection, use or disclosure of personal information. The new law also puts limits on the degree to which individuals may be requested for personal data, and limits on the use of CCTV; provides for internal controls; and provides for class action mediation and litigation of data protection disputes.

PIPA will take effect 6 months from that date, i.e. on September 30, 2011, with the exception of certain provisions as noted below. PIPA will overlap the two main existing data protection statutes, which, however, will for the most part continue in force, namely the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (IC Network Act), which applies to telecom service providers, and the Use and Protection of Credit Information Act (Credit Information Act), which applies to banks and other persons handling credit information. Generally, in situations where PIPA rules vary from these existing laws, the restrictions more protective of personal information should apply. (PIPA will, however, render obsolete a related law on data protection by government agencies.)

A number of the data protection practices required under PIPA are already in widespread use among Korean businesses, largely due to the penumbral influence of the IC Network Act and Credit Information Act. Nevertheless, PIPA is a landmark piece of legislation, in encoding such privacy rules for virtually all segments of Korean business.

The main provisions of PIPA are in summary as follows.
 
First, PIPA applies broadly to "personal information" and any "handler of personal information". "Personal information" means any information from which, by itself or combined with other information, an individual can be identified, whether from his name, citizen's I.D. number, image or other attributes. A "handler of personal information" (data handler) means any person any government entity, company, individual or other person that (directly or through a third party) "handles personal information in order to manage personal information files for work purposes." PIPA applies to both electronically and manually recorded information—online and soft data as well as offline and paper.

Broadly, in order for any data handler to collect or use personal information, or to disclose any such information to a third party, the data handler must get the subject's consent, after informing him/her of the purposes of collection or use of the information, the types of information sought, the period of retention and use, and other details. There are some exceptions, in special circumstances. (Disclosure of information overseas, as opposed to in-country, may be subject to special conditions, to be considered by the Ministry of Public Administration and Security.) Handling of sensitive information, such as concerning one's beliefs, and uniquely personal information such as one’'s I.D. number, will require specific consent, or else a law or regulation authorizing the same.

Further, apart from certain types of companies and institutions (such as banks), data handlers will have to furnish a way for people to sign up on their websites other than by entering their I.D. numbers. (This particular provision, and related provisions for fines in case of violation, come into effect on March 30, 2012.)

PIPA at last gives clear rules on video images: CCTVs, and any other video recording and transmission devices, may be installed and operated only to the extent necessary for crime prevention, and other limited purposes. Sound recording is banned.

Data handlers are required to draw up and publish a personal information handling policy, including such particulars as period for retention of information. They must also designate an individual who will be generally in charge of handling of the information and responsible for the protection of it. In case of a leak of personal information, the individuals involved must be notified without delay of the details and circumstances, and the remedial steps planned. (Similar rules already apply in the telecom and financial sector, under the existing statutes.)

Individuals may sue data handlers for damages resulting from their breach of PIPA provisions. Significantly, the PIPA places an evidentiary burden on the data handler, to prove there was no negligence on its part in handling information; otherwise, it cannot avoid liability, of some degree. At the same time, in case of loss due to information theft, leakage etc., the data handler can reduce its liability by showing it was not remiss in observing and monitoring its PIPA compliance.

PIPA provides for the setup of a committee to handle mediation of personal information disputes. (This will supersede and replace the analogous committee set up under the IC Network Act.)
 
Collective mediation or class action litigation
In a personal information-related dispute where multiple individuals incur injuries, or violations of rights, that are similar in kind, an application for mediation may be submitted to the committee by the individuals concerned or the data handler, or by a government body, or relevant consumer group or NGO. The committee is to publicly announce whether it will mediate the dispute.

In the event the data handler refuses to go along with mediation, or to respect the committee’'s conclusions, PIPA allows consumer groups or other interested parties to pursue a collective or class action lawsuit, for injunctive relief against any activities of the data handler that are complained of. This special avenue under PIPA is only for injunctive relief. For money damages, individuals may resort to litigation under the general Civil Procedure Act.


Further details must await promulgation of the administrative enforcement decree (which should be issued within the next few months) and further regulations, as well as a related directive of the Ministry of Public Administration and Security.
 
-by Kwang Hyun Ryoo (kh.ryoo@bkl.co.kr)