Personal Information Protection Commission

The Personal Information Protection Commission (PIPC, 개인정보보호위원회/個人情報保護委員會) is an independent commission under the Personal Information Protection Act (hereinafter referred to as the "Act").

The new Act provides for establishment of a data protection authority under the Presidential Office ‘to deliberate and resolve the matters regarding data protection’, and that it ‘shall independently conduct the functions belonging to its authority’.

Key words
data protection, independent commission, Commissioner, Secretariat

Background of the Commission
Since 2004, there had been much talk but little action regarding a new framework act on data protection and privacy both in the public and private sectors. Until three draft Bills on comprehensive data protection were placed before the National Assembly in 2009 and 2010, law-makers had been arguing over the grade and characteristics of the data protection watchdog in Korea.

The ruling camp proposed the plain administrative commission under the Premiere's Office while the opposition group and civic groups insisted on the independent commission under the Presidential Office equal to the National Human Rights Commission (NHRC).

Until then, lawmakers were hesitant because those Bills were hard to reconcile with each other, and no one regarded their passage as urgent. But coming to 2010, the Ministry of Public Administration and Safety (MOPAS) pushed ahead with an enlarged framework of legislation as data protection in the public sector was in need of fundamental overhaul.

Accordingly, MOPAS was ready to accept the opposition group's proposal including the Commission under the President's Office and 15-member big body (compare with 11-member NHRC), which has made it possible for opposition groups to be duly represented in the Commission.

Organization of PIPC
The PIPC consists of not more than 15 Commissioners, including one Chairperson and one Standing Commissioner, who is a public official in political service in charge of administrative affairs of the Commission.

The Chairperson shall be commissioned by the President from among non-public official Commissioners.

The Commissioners is appointed or commissioned by the President from among the persons with competence as stated in the Act.

In this case, five Commissioners shall be appointed or commissioned from among the candidates elected by the National Assembly, and other five Commissioners from among the candidates designated by the Chief Justice of the Supreme Court.

The term of office for the Chairperson and Commissioners is three years, and their term of office may be only once extended.

The meeting of the Commission shall be convened by the Chairperson when the Chairperson deems it necessary or more than one quarter of Commissioners demand it.

The resolution of the meeting of the Commission shall be made by the affirmative votes of the majority of present Commissioners if more than half of the Commissioners are present at the meeting.

A secretariat is established within the Commission, and would therefore in principle be independent of the Ministry of Public Administration and Security to support its administration, and is headed by a Director.

In reality
While the President appoints the rest of the Commissioners, this is within constraints of the separation of powers and multi-party system. When the PIPC started its first sail after the entry into force of the Act, because of a deadlock in the National Assembly, which is entitled to elect five Commissioners of the 15-member PIPC, the nomination of the First Chairperson and deliberation on the Basic Plan for the initial three years and the Implementation Plan for 2012 were postponed accordingly.

The PIPC was completed in the early January 2012 (with Attorney Tae-Jong Park as Chair), and first met in January 2012.

Authority of PIPC
The Commission shall independently conduct the functions belonging to its authority.

It has a wide range of powers concerning determining policy matters, the giving of opinions, issuing reports, the ‘coordination of positions taken by public institutions’, and the interpretation of laws and regulations, but not the resolution of individual complaints.

According to Article 8 (Functions of the Commission) of the Act, the PIPC deliberates and resolves the following matters:
 * 1) The Basic Plan under Article 9 and the Implementation Plan under Article 10 of the Act;
 * 2) Matters for the improvement of policies, systems and legislation related with data protection;
 * 3) Matters for the coordination of positions taken by public institutions with respect to the processing of personal information;
 * 4) Matters regarding the interpretation and operation of laws and regulations related with data protection;
 * 5) Matters regarding the use and provision of personal information under Article 18(2)v;
 * 6) Matters regarding the result of the Privacy Impact Assessment under Article 33(3);
 * 7) Matters regarding the suggestion of opinion under Article 61(1);
 * 8) Matters regarding the advice of measures under Article 64(4);
 * 9) Matters regarding the disclosure of results under Article 66;
 * 10) Matters regarding the making and submission of the Annual Report under Article 67(1);
 * 11) Matters referred to the meeting by the President, the Chairperson of the Commission or more than two Commissioners with respect to data protection; and
 * 12) Other matters to be deliberated and resolved by the Commission under this Act or other laws and regulations.

Also the PIPC may, if necessary for the deliberation and resolution of matters stated in above paragraph, ask opinions of relevant public officials, specialists in data protection, civic organizations and related operators, and request relevant materials from the authorities concerned.

Google's TOC decision
On June 11, 2012, the PIPC has decided that Google’s changes to the Terms of Service (TOS) of over 60 of its services, unifying them in a single TOS, may be in breach of various provisions of the Act.

Google’s TOS changes, which were effective on 1 March 2012, are considered by the PIPC to likely to breach these laws in three ways:
 * They do not specify the purpose of collection clearly enough, and cannot comply with the requirement that personal information may only be collected and used to the minimum extent necessary for the purpose for which it is collected;
 * They do not comply with the requirement that where personal information is to be used for purposes other than the purpose for which it was collected, it is necessary to obtain additional consents for such uses; and
 * They do not specify that that personal information will be erased immediately upon the expiration of its retention period or on request from a data subject.