In recent years, several jurisdictions in the Asia-Pacific (APAC) region are set to implement data privacy laws to protect personal data for the first time, while some countries have already data protection laws in force.
In South Korea, the Personal Information Protection Act (PIPA) came into effect on September 30, 2011. Amendments were made in 2021, and lately in 2023. The PIPA underwent extensive amendments in early 2023, the main amendments starting on September 15, 2023. The amendments increased the rights of data subjects, namely the right to data portability and the right to be excluded from automated decision-making. It also set new requirements for overseas personal data transfer, and replaced criminal sanctions with fines, among other changes.
What Is the South Korean Personal Information Protection Act (PIPA)?
The Personal Information Protection Act (PIPA) is a data privacy law that governs the collection, use, and processing of personal data of data subjects, i.e., residents of South Korea.
The PIPA is applicable to a data handler, which is a person, either an individual, a public agency, a juridical person, an organization, business, or governmental organization, that, by itself or through a third party, handles personal data to perform its business activities.
Handling of personal data is defined in the PIPA as “processing, storage, retention, search, outputting, restoration, rectification, use, collection, generation, recording, provision, disclosure or destruction of personal data or any other action similar to any of the foregoing”.
Personal data is defined as “data that is systematically organized in accordance with certain rules for easy search or use of such personal data”.
Note that the territorial scope is not specified in the law. However, for enforcement of the PIPA is similar to the EU’s GDPR. This means that South Korean companies and organizations are subject to the law, while foreign companies that provide services for South Korean users are likely to be affected by the law as well. Several factors should be considered when deciding whether a foreign company is subject to the PIPA, for example, whether the company provides services or products for South Korean users, or whether the company generates revenue from doing business in South Korea.
Scan your website for free to see all cookies in use.
The 2020 PIPA amendment
First amendment took effect on August 5th, 2020. It introduced pseudonymization and anonymization of data, excluding pseudonymous and anonymous data processing restricted data processing activities. It also implemented new requirements, restrictions, and penalties.
The 2020 PIPA amendment also integrated parts of the Network Act, a separate act that regulated the processing of users’ personal information by online service providers, and the National Credit Information Act into the PIPA. This is an important feature of the 2020 PIPA amendment.
The 2023 PIPA amendment
The amendments were passed into law on 27 February 2023 and entered into force on 15th September 2023.
The 2023 PIPA amendment foresees the following changes in the law:
- Introduces the right to data portability. Data subjects can now request a copy of their sensitive personal information.
- Introduces the right to be excluded from automated decision-making Data subjects can object to or reject decisions from AI-generated tools that have processed data subjects' personal information relating to them.
- Replaces criminal sanctions with more administrative penalties, including fines. The current amendment also introduces new violations of the law, in particular obstruction of investigations.
- Introduces new requirements for transferring sensitive personal information outside of the country.
- Levels the compliance requirements for Online Service Providers (OSPs) and Ordinary Data Controllers (ODCs). Now, OSPs and ODCs are regulated uniformly by the PIPA.
The Adequacy Decision
The new amendments align the Personal Information Protection Act of South Korea with the GDPR standards regarding personal data privacy to reach an adequacy decision (pursuant to Article 45 of the GDPR) dated 17 December 2021.
The adequacy decision means that South Korea is considered by the EU to have adequate personal data protection. This allows an unrestricted personal data flow of EU residents between the EU and South Korea.
Key Principles of South Korean Data Privacy Law
According to the Personal Information Protection Act of South Korea, all data handlers must follow the following principles while handling the personal data of South Korean users:
- Consent. Data handlers must obtain explicit consent from individuals before collecting their personal information. This consent must be informed and freely given, which comes as a response to a clearly written and understandable privacy notice regarding of how individuals’ data will be used.
- Purpose limitation. To handle personal data, companies must have specific and legitimate purposes disclosed to the individuals. Any other use of data, not necessary for the performance of business activities, is prohibited.
- Data minimization. Companies should collect and keep only the minimum amount of personal data necessary to achieve the business activities for which the data was collected. This requirement should minimize the possibility of data breaches and mistreatment.
- Data Protection Officers (DPOs). Public administrations are required to appoint Data Protection Officers responsible for ensuring compliance with the PIPA. The DPO may be an internal staff member or may be contracted externally. A DPO can be an individual or an organization. Courts acting in their judicial capacity are exempt from this Principle.
- International data transfer. To transfer personal data internationally, data handlers must ensure that the data is transferred only to countries having adequate data protection laws. An example could be countries covered by the GDPR. This ensures that personal information remains protected when transferred to other countries.
To sum up, the PIPA provides detailed obligations and very strict requirements for personal data processing, like prior notification, opt-in consent, data minimization, need for the Data Protection Officers, and heavy sanctions prescribed by law. This makes the law one of the strictest data protection laws in the world.
Business obligations under the PIPA
Companies are required to maintain the following guidelines for complying with the law:
- Data governance. Companies and organizations must establish strong data management system inside the company to manage personal data according to the law.
- Consent management. Companies and organizations must provide a clear and unambiguous privacy notice regarding personal data management and get explicit consent to use the data of individuals. The consent must be received before any collection or processing of data takes place.
- Data security. Companies and organizations must implement strong cybersecurity measures to protect personal data from breaches or unauthorized access. They must train their staff working with personal data to know the principles of the data privacy law, and to keep these principles.
- International data transfers. Companies and organizations must ensure that the data is transferred only to countries that have adequate data protection laws. No data could be sent to countries, lacking adequate level of personal data protection.
- Compliance reporting. Companies and organizations must maintain detailed records of data processing activities and show these records when asked by relevant authorities. In the case of data breaches, they should be prepared to report it to the relevant authorities immediately. Companies must also inform data subjects about the leakage “without delay” before notifying the relevant authorities.
Compliance with the South Korean Personal Information Protection Act is not a recommendation but a legal requirement. Non-compliance with the law could lead to severe penalties.
There are different penalties for breaching the PIPA. These include administrative sanctions such as fines, penalty surcharges, or corrective orders.
The PIPA can impose fines up to KRW 3 billion (approximately €2.1 million) or 3% of the company’s annual revenue, whichever is higher.
How to Ensure Compliance with South Korea’s PIPA?
To be compliant with the PIPA, companies and organizations are advised to consider the following actions:
- Provide additional rights to data subjects, particularly regarding rights to data portability and rights against automated decision-making.
- Establish a robust data management system.
- Implement a consent management system.
- Implement strong cybersecurity measures to protect personal data from breaches or unauthorized access.
- Use data encryption.
- Set rules for international data transfers.
How Can CookieScript Help with the PIPA Compliance?
CookieScript Consent Management System is an optimal solution for compliance with the South Korean Personal Information Protection Act. It’s a user-friendly plugin, so you can be fully compliant without the need to use complicated technical implementation.
Our Cookie Scanner scans your website for cookies and other tracking technologies and provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.
CookieScript CMP allows you to create a fully customizable and configurable Cookie Banner. You can personalize colors, fonts, text, and style, and adjust the banner to your website's design. You can create the Cookie Banner in 30+ languages or even add any custom language.
If you are an international company and have users from different countries, CookieScript CMP allows you to display multiple cookie banners using geo-targeting. Different cookie banners will be delivered to website users based on their geographic locations.
Finally, you can maintain a full history of user consent for proof of compliance.
Frequently Asked Questions
What is the South Korean Personal Information Protection Act (PIPA)?
How to comply with South Korea’s PIPA?
What are the key principles of South Korean data privacy law (PIPA)?
According to the Personal Information Protection Act (PIPA) of South Korea, all data handlers must follow the following principles: obtain explicit consent from individuals, have specific and legitimate purposes for the processing of data, collect and keep only the minimum amount of personal data, appoint Data Protection Officers, and ensure that the data is transferred internationally only to the countries having adequate data protection laws. CookieScript CMP can help you to comply with the PIPA and other privacy laws.
Who does South Korea’s PIPA apply to?
What is the penalty for breaching the South Korean PIPA?
How can I know which cookies and trackers my website uses?
Use Our Cookie Scanner, which is a free tool, scans your website for cookies and other trackers, and then provides a detailed scan report including details about your website’s cookies with their provider, duration, and third parties if any.