Draft of amended Enforcement Decree of the Personal Information Protection Act (PIPA) will supplement statutory amendments set to take effect on September 15, 2023.
The draft rules, announced on May 19, 2023, help build out the new PIPA framework of latitude for offshore data transfers, and at the same time provide standards for potential orders to suspend offshore transfers.
Included are standards for obtaining consents from data subjects, selection of target businesses for privacy policy assessments, and certain required general notifications to data subjects. Draft rules also clarify the new rule permitting fines of up to 3% of “total” revenues, for violations of PIPA.
For data incident reporting, draft rules put a reporting window of 72 hours, and, in general but with exceptions, a threshold of 1,000 affected data subjects.
Comments from the public are invited till June 28, 2023, but draft decree is very likely to be adopted largely as is, by early September 2023.
For main features of the amended PIPA that take effect later, such as rights to refuse automated decision- making (March 2024) and data portability rights (within a year after March 2024), further rule changes will follow towards those dates.
Further to the wide-ranging amendments of Korea’s Personal Information Protection Act (PIPA) passed on February 27, 2023 (as reported), the chief regulator has issued its draft amendments to the Enforcement Decree or prime implementing regulation of PIPA (PIPA-ED), supplying many of the standards and rules surrounding processing of personal data that are left open or vague in the PIPA text itself. The draft of the amended PIPA- ED, released by the Personal Information Protection Commission (PIPC) on May 19, 2023 for public comment until June 28, 2023, clarifies the new PIPA framework for, among things, offshore personal data transfers, data subject consents and notification requirements, evaluations of selected privacy policies, assessment of fines as a percentage of up to the “total” revenues of a business, and reporting of data leakages and other data incidents.
Summarized below are principal features of the draft PIPA-ED that, with the corresponding PIPA rules, may be of particular relevance for multinational businesses. Personal information is referred to below as “PI”.
● PI transfers offshore based on recipients’ certifications, or offshore jurisdiction data protection adequacy: Till now PI transfers offshore, as such, required specific disclosures, and specific consent of data subjects (at least in the case of controller-controller transfers), but the amended PIPA will permit offshore transfers on several bases without consent, including where (i) the recipient has obtained a data protection-related certification of a type deemed satisfactory by the PIPC, or (ii) where the country to which the PI is going has been deemed by the PIPC to maintain a data protection environment up to the level of Korea’s. The draft PIPA-ED lays out the procedural steps whereby the PIPC will come to affirm the satisfactory kinds of certifications, and designate jurisdictions offering commensurate data protection. The process in each instance centers on a “Special Commission on Overseas Transfers”. Approved certifications are to be assigned validity periods. Offshore jurisdictions, once approved, are to undergo periodic review for adequacy.
● Standards for imposing order to suspend PI transfer offshore: While supplying added bases for PI transfers offshore without need of specific disclosures and consent, the amended statute imposes a control mechanism: The PIPC will have a right to order a data controller to suspend such a transfer altogether if it is being done without valid basis (consent, or another basis, such as noted above), or if the transfer is going to a person, or a jurisdiction, seen as posing a danger of inadequate data protection and resulting harm to the data subjects. The draft PIPA-ED elaborates on the factors that are to go into such a decision, including the scope and volume of the PI, the severity of PIPA violations involved, dimensions of potential harm to data subjects, relative benefits of such a suspension (and insufficiency of just a corrective order) for the data subjects’ purposes.
● Clarity and free choice required for valid consent to processing: The PIPA-ED clarifies that, for valid consent from data subjects – consent being by far the most important basis for personal data processing – the way in which the relevant content is presented must be clear, simple and easy to understand, and allow the data subjects free choice, and clear indication of their choice, to consent or not consent. The principles are hardly new or surprising, encapsulating what has long been the regulator’s stance, but this formulation of them within the PIPA-ED – taken together with the privacy policy evaluation system (see next item) – would seem to provide further basis for, and may anticipate, a degree of added rigor in the regulator’s compliance review of data protection practices.
● Selective scrutiny and evaluation of privacy policies: Under PIPA as amended, the PIPC is entitled to single out, for compliance review, the privacy policies of selected businesses, so as to consider and formulate “recommended” modifications. (The PIPC was not unable to carry out review of this sort before, and occasionally it did so, but the amended PIPA sets a systematic framework for such processes.) The draft PIPA-ED spells out the factors that are to go into the selection process – basically, the nature and dimensions of the data controller, including its type(s), volumes and methods of PI processing. The draft PIPA-ED also indicates general standards, such as clarity, for the compliance evaluation. A more concrete formulation of those standards is to be later decided by the PIPC, and promulgated (separately from the final PIPA-ED) in a public notice.
● Intriguing modification to basis for supplemental use and transfer of PI: The draft PIPA-ED usefully modifies one of the alternative bases (besides consent) for processing of PI, namely where it is reasonable, safe processing that is supplemental to the original scope: that is, where it is usage and transfer of PI for a scope “reasonably related to the initial purpose of collection”, and this is done with suitable security measures and does not pose a meaningful risk for the data subject. The clause, introduced in 2020, has not been relied on much, overtly at least, but a difficulty till now was that, for this purpose, the data controller was required to, in advance, disclose in its privacy policy the standards that it would apply, in making any such supplemental use and transfer of PI. However, the amended PIPA-ED would not require such advance disclosure, in a privacy policy, except where the supplemental use and transfer of PI are on a continual basis.
It is thought that this change might facilitate, for example, the use of PI in connection with e.g. AI data sets, and PI transfers in context of product linkups with IoT platforms.
(Meanwhile, in a separate, higher profile change, touted by the PIPC itself, the amended statute will allow PI processing where it is “necessary” for the purpose of performing a contract. That change certainly improves on previous wording there, which was in terms of “unavoidably necessary”, but basic questions include how broadly the concept of “contract” might be understood, and the PIPA-ED does not speak to that aspect.)
● Required annual / occasional notifications to data subjects: The amended statute imposes on data controllers, of a threshold scale, to provide periodic notifications to data subjects, informing them of the scope of usage and transfers of their PI, on top of an existing obligation to notify data subjects upon receiving their PI from third parties. According to the draft PIPA-ED, these requirements will apply to any data controller processing PI of 1 million or more data subjects – or sensitive PI (political, health-related, etc.) or uniquely identifying information of 50,000 or more individuals.
● Potential revenue-based fines for violations: As amended, PIPA provides for possible administrative fines (or “penalty surcharges”) of up to 3% of the “total” sales of the offending business, provided that such total sales are “to be computed excluding sales that are unrelated” to the violation. (Such revenue-based fines pertain to the more blunt and serious kinds of violations, such as collecting or transferring PI without consent or other basis.) A question has been how exactly this differs from the pre-existing rule, which was for up to 3% of “sales related to” the violation. The draft PIPA-ED now clarifies that “total sales” will exclude (a) sales that “obviously are unrelated to the processing” of PI, and (b) sales that are “demonstrated to be unaffected, directly or indirectly, by the violation”. The PIPA-ED goes on to institute a new methodology for calculating the specific fines in a given case, which involves rather sophisticated calibrations based on assorted variables and aggravating and mitigating factors.
● Data incident reporting requirement – timeframe: Under PIPA as amended, a “data leakage” – such as an inadvertent leak, or a hacking or other external attack – must be reported to the regulator, as well as notified to the affected data subjects, “without delay” once the data controller learns of the incident and the fact that PI of Korean individuals was affected. The draft PIPA-ED clarifies that that “without delay” will mean 72 hours following that same point in time, of knowledge of the incident and the inclusion of Korean individuals’ PI. For data controllers that are online businesses, the 72 hours is at any rate an improvement over what had been a 24 hour period (under an online sector-specific clause for incident reporting that has been eliminated in the amended PIPA).
● Data incident reporting – threshold in terms of affected data subjects etc.: Additionally, the reporting requirement would generally apply only where PI of 1,000 or more data subjects (Korean individuals) is affected. However, it would apply, without reference to a threshold number of individuals, to any hacking incident, i.e. external access to and taking of PI, and to any incident affecting sensitive PI (political, health, etc.) or uniquely identifying information (passport numbers etc.). On the other hand, the draft PIPA-ED would seem (although the clause is unclear) to newly recognize a possible exemption, from reporting to the regulator, depending on the taking of ample remedial steps (such as recovery or deletion of the affected PI) so as to prevent any likely harm to the data subjects. (There, notification to the data subjects, however, would still be required.)
Outlined above would be the main elements of the amended PIPA-ED in the present draft, as such, that would seem apt to merit scrutiny among multinational businesses. It is worth bearing in mind that the draft amendments to the regulation, which is a critical part of the “infrastructure” of data protection in Korea, address many other areas of the statute, and issues of interpretation. (One example would be the role of the Dispute Mediation Committee, in what the PIPC hopes to become a more robust, widely relied-on system for personal data-related dispute resolution.) It is also important to note that the amendments to PIPA that will take effect in September 2023 cover much more ground, that is, areas of regulation that do not call for supplementing in the Enforcement Decree. Also, due to take force at later dates is the new PIPA framework for rights in relation to automated decision-making (March 2024), and data portability (still later), and the PIPA-ED will be modified, to supplement that framework, only as those dates approach.
The draft PIPA-ED is publicly available (including at this government-maintained page), and the regulator is inviting submission of comments on it, till June 28, 2023. Among other routes for submission, comments may be input at the homepage of the Center for Legislation with Citizen’s Participation, or by email to a stated address. (Bae, Kim & Lee LLC is advising a number of businesses in this regard.) A prevalent view, among observers, is that, while the draft PIPA-ED may be susceptible, in various of its details, to some modification or “tweaking”, the current draft is highly likely to proceed to formal adoption, largely as is, by early September 2023, ahead of the September 15 effective date of the corresponding PIPA amendments.
This update is intended as a summary news report only, and not as advice. For legal advice, please inquire with your contact at Bae, Kim & Lee LLC, or the authors of this legal update.
Kwang Hyun Ryoo
T 82.2.3404.0150
Taeuk Kang
T 82.2.3404.0485
Minwoon Yang
Senior Foreign Attorney
T 82.2.3404.0264