On January 9 2020, the South Korean National Assembly passed several consequential amendments to the country’s most important pieces of data privacy legislation: the Personal Information Protection Act (‘PIPA’), the Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘ICNA’), and the Act on the Use and Protection of Credit Information (‘Credit Information Act’). The amendments, which began to take effect August 5, 2020, are widely regarded as part of South Korea’s pursuit of an adequacy decision from the European Commission, under the General Data Protection Regulation (‘GDPR’). An adequacy decision, granted to non-EU countries whose level of data protection is deemed as adequately meeting the standards of the GDPR, would further ease the transfer of data between the third country and EU member states by removing certain procedural safeguards.
Before launching into a discussion of the amendments’ key provisions, this article will lay out of the backdrop against which they were legislated. In August 2015, the South Korean government established a joint public-private sector task force―charged with conducting data regulation related feasibility studies, self-assessments, and comparative analyses―in preparation for adequacy negotiations with the EU. There have been two prominent rounds of adequacy negotiations since then: both failures. The first round was grounded on an adequacy assessment of PIPA―Korea’s more general data protection law―with a specific focus on the regulations it sets in place for data controllers and processors . The European Commission, on the grounds that the governmental Ministry of the Interior of Safety (‘MOIS’)―the data protection authority (DPA) of the PIPA―was not an independent organization, withheld an adequacy decision.
The second round was based on a much more focused adequacy assessment of the ICNA data protection laws. With the DPA for the ICNA being the Korea Communications Commission (‘KCC’)―a central government agency directly under the President―the level of data protection of ICNA was deemed much higher than PIPA. The problem was that an adequacy decision based on the adequacy assessment of ICNA, mainly regulating processing of data of online servicers, would be too limited in scope to support the free flow of a large fraction of data transmissions between South Korea and EU member states. Hence, the Korean government returned to the drawing board, amending existing legislation so that one, multiple DPAs handling data protection matters could be consolidated into one central and independent one and second, personal data protection clauses in ICNA could be integrated into PIPA.
The aim of the amendments made to the three pieces of legislation was to reduce overlap in data privacy regulations, and to introduce the concept of and offer a legal framework for the use of pseudonymized data. As for amendments made to PIPA, concepts of personal data, pseudonymized data, and anonymized data were first clarified. The permissible scope of pseudonymized data processing was restricted to statistical, scientific research, or matters of public record-keeping. The combination of such pseudonymized data was also laid out as permissible under the condition that it be conducted by personal data controllers through specialized agencies. Use and release of personal data without obtaining the data subjects’ consent was also specified as permitted under circumstances, in which such practices are reasonably related to the original purpose of the data collection, in consideration whether disadvantages could be caused to the data subject and whether necessary measures for security have been taken. South Korea’s Personal Data Protection Commission (PDPC)’s status and powers were raised. Finally, special provisions that were previously in the ICNA were incorporated into PIPA.
In comparison to those to PIPA, amendments to the ICNA and Credit Information Act were smaller in scope and fewer in number. For ICNA amendments, as mentioned above, general provisions relating to the protection of personal data were deleted and added to PIPA. The authority of the Korean Communications Commission (KCC) was also explicitly delegated to the Korean Communications Office. Amendments to the Credit Information Act, on the other hand, entailed further clarification of the legal basis for analysis and usage of big data in the finance sector, the deletion of provisions duplicate or similar to those of PIPA, an improved regulatory framework for the credit information industry, the introduction of the MyData industry, and the strengthening of protection of personal data in the finance sector.
As a result of such major amendments having been made to the three major data privacy laws in South Korea, on March 30, 2021, the European Commission announced the “successful conclusion” of the adequacy talks between the EU and South Korea. Now, once a formal approval by a committee comprised of representatives of the EU member states is made, the European Commission can adopt the adequacy decision, thereby introducing the free flow of personal data between the EU and South Korea, which is expected to take place within 2021. That being said, it is important that South Korean companies grid themselves by ensuring compliance with the legal requirements of the GDPR and strategizing for increased involvement with the EU market.