South Korea’s Personal Information Protection Act (PIPA) first came into effect in 2011 to govern data privacy. The country amended the law in 2020, making it one of the strictest data privacy laws around the world – no easy feat given the slew of evolving regulations over the past several years.
In its current form, PIPA gives South Korean citizens personal data rights, like the right to be informed and the rights to access, rectify, and erase data. It also imposes requirements for personal information controllers, such as specifying the purpose for collecting personal information, ensuring personal information is complete and accurate, and safeguarding any personal information they hold.
Here’s what every company needs to know about the latest version of PIPA, including what’s required to maintain compliance and avoid penalties, which can include both monetary penalties and imprisonment.
Who Must Comply with PIPA?
Any “personal information controller” within South Korea must comply with PIPA. A personal information controller is any body – business, individual, or otherwise – that engages in activities like processing, storing, retaining, searching, outputting, restoring, rectifying, using, collecting, generating, recording, provisioning, disclosing, or destroying personal information about South Korean citizens.
According to the law, personal information is data that:
- Directly identifies a living individual by full name, resident registration number, or image
- Indirectly identifies a living individual when combined with other information that is easily accessible
- Meets one of the above criteria but is pseudonymized so that it can not be used to identify an individual without specific information to restore it to the original state
PIPA also defines a special class of “sensitive information,” which is any personal information related to an individual’s ideology, faith, labor union membership, political views or membership in a political party, health or medical treatment information, sexual orientation, genetic information, criminal records, or biometric data for the purpose of uniquely identifying someone. Personal information controllers must obtain separate consent from individuals to collect and process sensitive information.
The only exceptions to compliance with PIPA include instances in which:
- Special provisions exist in another South Korean law or it is impossible to meet the requirements of both PIPA and another South Korean law
- Public institutions (i.e. government bodies) need certain information to conduct affairs
- Certain information is required to perform a contract
- Information is deemed obviously necessary to protect the physical safety and property interests of the data subject when they can not give consent
- Collecting or using information is necessary for the personal information controller to realize their legitimate interests (however, this only applies in limited cases and must have a reasonable scope)
- Information is needed to settle a payment for online services provided (this applies only to Online Service Providers)
Notably, PIPA does not include any specifications about the territorial scope of the law and how it applies to any personal information controllers that process data on South Korean residents when they are not physically located in the country. To date, this scope has been established for individual cases based on factors like whether or not the body in question generates revenue from doing business in South Korea or specifically targets South Korean citizens in the products/services it provides.
Tired of paying for spreadsheets of regulations that require close review and manual effort?
Get your data breach response plan into an actionable form using the BreachRx platform in a matter of days!
How Does South Korea Enforce PIPA?
The Personal Information Protection Commission (PIPC) is responsible for enforcing PIPA. The PIPC can help interpret the law, shape data protection policies, and assess potential amendments to the law. Most importantly, it can investigate instances of non-compliance and issue corrective orders, penalties, and other administrative sanctions as it sees fit.
Specifically, the PIPC can make recommendations for improvements to any personal information controller that may not be in full compliance with PIPA. The PIPC can also issue a corrective order for failure to comply with obligations under the law.
Overall, penalties for non-compliance can differ based on the situation. For example, any organization that does not follow a corrective order or fails to notify data subjects about a breach can be fined up to KRW 30 million. Instances where an organization transfers personal information to a third party without consent can lead to criminal sanctions of imprisonment of up to five years or a fine of up to KRW 50 million. Additionally, these sanctions can apply to both the party that transferred the data and the one that received it if they knew the information was transferred without the data subject’s consent. And any data breach that results from an organization’s intentional actions or negligence can lead to punitive damages up to three times the damages suffered as a result of the breach.
Finally, South Korea’s Network Act, which protects personal information on communication services, includes a special provision for Online Service Providers that violate PIPA. This provision requires organizations to pay a fine of up to 3% of sales resulting from the violation, or up to KRW 400 million if it’s too difficult to calculate the relevant sales.
What Proactive Data Protection Measures Does PIPA Require?
South Korea places the burden of protecting personal information on controllers, requiring them to take specific steps to proactively prevent the loss, theft, alteration, or destruction of personal information. These steps include implementing a plan to handle personal information in a safe way, introducing security measures (e.g. encryption) to protect data storage and transmission, and installing security measures to prevent unauthorized access to data.
PIPA also requires every personal information controller to appoint a Chief Privacy Officer (CPO). The CPO must be an employee or executive of the company and failure to appoint one can carry an administrative fine of up to KRW 10 million. The law outlines clear responsibilities for the CPO, including:
- Introducing a policy to protect, manage, and monitor personal information
- Regularly reviewing how personal information gets processed and recommending improvements
- Fielding complaints and requests from individuals
- Establishing controls to prevent the loss or abuse of personal information and training employees on protection measures
- Destroying personal information after the purpose for processing it is complete or the retention period has expired
CPOs can also be held personally criminally liable in certain instances of non-compliance with PIPA. The first instance time this occurred was a January 2020 case in which a Seoul district court found both a company and its CPO negligent following a 2017 data breach. Both the company and the CPO were fined KRW 10 million. The court also had the option to issue an eight month prison sentence (out of a maximum of two years in cases of negligence) for the CPO but opted not to do so.
What Incident Response Measures Does PIPA Require?
Any personal information collector that experiences a data breach must follow certain incident response measures under PIPA. A data breach is any instance of loss, theft, alteration, or destruction of personal information.
When a data breach occurs, the controller must take countermeasures to reduce the risk of harm to data subjects and notify those data subjects within 24 hours of discovering the breach. This notification should include:
- Details about the personal information that was part of the breach
- When and how the breach occurred
- Any information about how the data subjects can minimize the risk of damage resulting from the breach
- Countermeasures and steps to remediate the issue the personal information controller has already taken
- Contact information for the data subjects to report any damage as a result of the breach
If the number of affected data subjects is 1,000 or more, the personal information controller must also:
- Notify the PIPC by sharing the same information as shared with data subjects as well as the results of any countermeasures already taken
- Place the notification to data subjects on its website homepage (or a noticeable place in its business if the controller doesn’t operate a website) for at least seven days
Finally, Online Service Providers must take additional steps following a data breach pursuant to South Korea’s Network Act. Regardless of the number of people affected, Online Service Providers must:
- Individually notify online service users
- Submit a personal information leakage report detailing what happened and any remedial steps planned to either the PIPC or the Korea Internet & Security Agency (KISA) within 24 hours of discovering the breach
- Investigate the cause of the breach and take action to stem any damage
Need help including privacy regulations in your incident response plan?
Leverage the BreachRx platform to make your plans actionable today!
What Can Trigger Incident Response Under PIPA?
Any organization that experiences a data breach involving the loss, theft, alteration, or destruction of personal information must go into incident response mode under PIPA. Common examples of data breaches that can trigger a notification include:
Watering Hole Attack
A watering hole attack is a type of social engineering attack that preys on individual behavior rather than corporate security protocols. In this type of attack, hackers monitor their intended victims to identify websites they visit regularly, then they infect those websites to gain access to their victims’ computers and network. Once they gain access, they can view, alter, steal, or destroy any personal information the victim controls, which creates a data breach under PIPA.
Improperly Processed or Sold Data
PIPA requires organizations to obtain consent from data subjects to process and sell their data, and it gives those data subjects the right to revoke their consent at any time. As a result, any company that processes or sells personal information without the data subject’s consent or after the data subject has revoked their consent goes against PIPA and requires a notification.
Mistakenly Exposed Data
Sharing personal information with the wrong person or exposing personal information improperly (e.g. sharing information that should be encrypted over an insecure channel like email) can qualify as a data breach that requires notification under PIPA. This is the case even if the exposure is the result of an innocent mistake, since the event still creates risk for the data subjects and goes against the consent requirements outlined in the law.
How Should Organizations Prepare for PIPA?
South Korea’s recent updates to PIPA stress the importance of being proactive in protecting consumers’ personal information and in responding to any data breaches that occur. For example, it does so by strengthening the requirements around what organizations can and can not do with the data they collect and process, introducing strict guidelines for how to safeguard data, and requiring companies that experience a data breach to take on incident response activities.
Achieving this level of proactive behavior requires all personal information controllers to take certain steps with the help of their chief privacy officer, including:
- Establishing visibility into data collection, processing, and storage practices
- Assigning responsibility for security protocols and incident response activities
- Developing a clear and actionable plan for how to respond when an incident occurs
Specifically, organizations should prepare for three phases of incident response:
1) Readiness
What: Have an actionable incident response plan ready to go so that the team can jump into action quickly and confidently after a data breach.
Why: Privacy incidents are now inevitable, even with strict security measures in place. Not only does South Korea require organizations to respond quickly when a breach occurs, but doing so can also lessen associated costs.
How: Determine what relevant data privacy laws, like South Korea’s PIPA, and any customer or partner contracts require in terms of incident response, then develop plans to meet those needs.
2) Response
What: Put incident response plans into motion immediately after discovering a privacy breach.
Why: This immediate response is necessary to comply with South Korea’s incident response notification requirement, plus any similar notifications outlined in other laws and contracts. A quick and complete response can also help avoid or reduce penalties, lessen the potential risk for consumers, and maintain public trust.
How: Investigate the incident (what happened, how it happened, when it happened, who was impacted, potential risks) and notify individuals and any agencies as required by laws like PIPA. Take the opportunity to remediate any damage if possible and tighten security to prevent a similar breach from happening again.
3) Ongoing Management
What: Regularly revisit and update incident response plans.
Why: Global privacy regulations now change often, as do customer and partner contracts. As these requirements evolve and the nature of security threats mature, it’s important to update response plans accordingly.
How: Establish a single source of truth for all monitoring, reporting, and incident response plans through a centralized, easy-to-use dashboard. Maintain alignment on those plans, provide clarity on responsibilities, and create visibility into security measures by giving all stakeholders access.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
What Does Action for Non-Compliance with PIPA Look Like?
Since South Korea amended PIPA in 2020, we have already seen the PIPC take action in several cases of non-compliance. Most notably, the PIPC held a general meeting on August 25, 2021 during which it made decisions about how to enforce the law based on numerous investigations.
The following three high profile decisions from that meeting are examples of what to expect going forward from what has become one of the strictest global privacy regulations. These decisions are especially important as they help define how the PIPC will interpret PIPA’s territorial scope given that all three companies are based in the United States. Additionally, the resulting actions from the PIPC demonstrate the comprehensive nature of the commission’s investigations and the seriousness with which they approach non-compliance.
PIPC Fines Netflix KRW 223.2 Million
The PIPC fined Netflix for two different instances of non-compliance with PIPA for a total penalty of KRW 223.2 million. First, the PIPC fined Netflix KRW 220 million for collecting personal information without consent before new users completed the registration process. Second, the commission fined Netflix KRW 3.2 million for not sharing the details of transferring personal information overseas with the data subjects. In addition to the fines, the PIPC also issued a correction order for Netflix to update these practices to comply with PIPA.
PIPC Fines Facebook KRW 6.4 Billion
The PIPC fined Facebook for six violations of PIPA for a total penalty of KRW 6.4 billion. Facebook’s violations included:
- Collecting facial recognition information to identify users and display their names in photographs uploaded to the social network without users’ consent
- Collecting social security numbers without users’ consent
- Failing to inform users about a change in managing personal information
- Not sharing the details about transferring personal information overseas
- Not sharing the details about transferring personal information to third parties
- Not submitting reference materials as requested by the PIPC
As with Netflix, the PIPC also issued a correction order to Facebook to update these practices to be in compliance with PIPA.
PIPC Makes Recommendations for Improvement to Google
The PIPC did not find any instance of non-compliance following an investigation on Google, but did issue a recommendation for improvement. This recommendation focused on clarifying elements of Google’s privacy notice, particularly around practices for collecting and processing data like users’ payment details, occupations, and level of education.
Why It’s Time to Prioritize Proactive Incident Response
The 2020 amendments to PIPA significantly strengthened the law compared to its original form, and as security threats continue to evolve, we can expect even more updates to come. Equally as important, South Korea is not the only country making these types of updates.
As global privacy laws continue to change and threats to data privacy mature, every company must prioritize proactive incident response, and automation will be foundational. Doing so can not only help avoid or reduce penalties from countries like South Korea, but it can also help maintain trust with consumers and get back to business as usual faster after a breach occurs.
Achieving such a proactive approach requires regularly tracking new regulations and updates to existing ones, introducing incident response plans that meet those requirements, assigning responsibility for putting those plans into action as needed, and revisiting all of those efforts on an ongoing basis.