Data protection

Data protection (개인정보보호/個人情報保護), preferred by the Europeans, has the same meaning as privacy in Korea.

2011 is a watershed year in that Koreans were surprised to hear a large scale of data breach took place here and there, and that they saw a new data protection act come into force from September 30, 2011. Data breach notification has become mandatory to almost personal information processors in both public and private sectors.

According to the survey of Prof. Graham Greenleaf at University of New South Wales, 101 states have [[Media:Greenleaf_wwDPAct.docx|data protection laws and bills]] as of June 3, 2013.

Key words
data protection, privacy, personal information, Personal Information Protection Act, data processor, data breach notification

History
Until the new Data Protection Act was enacted, Korea’s privacy protection legislation had been established by sector.

The public sector had urgent need of data protection law, because a universal ID number or the resident registration number is generally used, while privacy protection in the private sector was implemented on a case-by-case basis.

The Act on the Protection of Personal Information Maintained by Public Agencies (공공기관의 개인정보보호에 관한 법률, the "Public Agency Data Protection Act", first enacted in 1995) governed the government’s collection of personal information in accordance with the OECD Guidelines on privacy protection. This Act applied to all public institutions, government departments and offices in the Administration, the Legislature and the Judiciary as well as local governments, various schools, government-owned companies, and public sector institutions. Accordingly, in the public sector, privacy protection provisions are found in the Act on Communication Secrets (통신비밀보호법), the Telecommunications Business Act (전기통신사업법), the Medical Act (의료법), and the Public Agency Data Protection Act, among others. Because an OECD member state is required to observe OECD rules, the Korean government has adopted the OECD 8 Principles stated below:
 * 1) Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
 * 2) Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
 * 3) Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
 * 4) Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except a) with the consent of the data subject; or b) by the authority of law.
 * 5) Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
 * 6) Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
 * 7) Individual Participation Principle: An individual should have the right a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
 * 8) Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.

In the private sector, the Credit Information Act (신용정보의 이용 및 보호에 관한 법률), the Framework Act on Electronic Commerce (전자거래기본법) and the Electronic Signature Act (전자서명법) contain data protection provisions. For example, the Framework Act on Electronic Commerce requires that electronic traders shall not use, nor provide to the third party, personal information collected through electronic commerce beyond the notified purpose for collection without prior consent of the data subject or except as specifically provided in any other law.

Among others, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (정보통신망 이용촉진 및 정보보호 등에 관한 법률, the "Data Protection Act", as wholly amended in 2001) generally applies to entities or individuals that process personal data for profit through telecommunication networks and computers. Personal credit information and medical records are protected by other legislation.

New Personal Information Protection Act
Since 2004, there has been much cry and little wool regarding a new data protection bill.

Finally a new full-fledged [[Media:KoreanDPAct2011.pdf|Personal Information Protection Act]] was promulgated on March 29, 2011, and came into force six months later on September 30, 2011. The new Act replaces the existing Public Agency Data Protection Act in whole and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. in part.

Upon the implementation of the new Act, more than 3.5 million public entities and private businesses will be regulated in relation to the collection and use, processing and destruction of personal information by common criteria and principles. But a number of changes in regulation and practices will mean that the said entities and businesses will need to be alert and to watch out for any possible violation of the new law. So the government is going to make the changes public during the preparation period prior to its enforcement. In order to effectively enforce the new Act, the standardized processing of personal information and universal identifier, implementation guidelines, the Data Protection Framework was to be revised every three years and its Action Plan will be worked out in due course. Also the explanatory guidebook regarding the new Act will be published along with promotional seminars.

On the global scene, the Korea-EU Free Trade Agreement, which became effective on July 1, 2011, has brought the data protection issue into spotlight because the increasing trade volume between Korean and EU Member States might call for Korea's application for the adequacy assessment sooner or later to be admitted to the white-listed countries favored by Article 29 Data Protection Working Party of the European Commission.

What's different from the previous DP Act
The new Act ushers in important changes in data protection as follows:


 * 1) All data processors, regardless of whether public or private, will be regulated by the new Act. The Act will cover not only personal information electronically processed but also that which is manually treated, which have been beyond the scope of application of the existing laws.
 * 2) The Personal Information Protection Commission, composed of 15 members including one chairperson and one standing commissioner, will be established under the Presidential Office, like the National Human Rights Commission. It will deliberate important policy issues and laws and regulations on privacy and data protection, functioning independently within the government organization.
 * 3) Standardized safeguards of personal data in the course of collection, use, transfer to a third party, and destruction will be formulated. In particular, sensitive data and universal identifiers like the resident registration number, as regulated by the law, will be prohibited in principle without the specific consent of data subjects or authorization by the law. Therefore, a data processor, as regulated by Presidential Decree, will be required to provide an alternative ID for the sign-up of users on its website.
 * 4) Notification to the data subject will be required of the source of personal data other than the data subject. Data processors conducting marketing based on their own database are required to obtain the data subjects' consent in an explicit manner. Data subjects shall be notified of the option of refusing consent to collection or processing, and no disadvantage in case of refusal is allowed.
 * 5) Visual data gathering devices like CCTV may be installed in public places only for the purpose of prevention of crime. Furthermore, in case of potential danger to the data protection in the public sector, a Privacy Impact Assessment (PIA) shall be conducted by public institutions. The private data processors engaged in the build-up or expansion of personal data files, deemed to affect data protection, are encouraged to make such PIAs on a voluntary basis.
 * 6) Data breach notification to the affected data subjects will be compulsory, while significant data breach beyond a certain scale shall be reported to the authorities concerned. And the data processor's efforts necessary to minimize the side effect are required. In this regard, any data subject complaining that his/her right or interest has been infringed upon by a data processor may report such infringement to MOPAS.
 * 7) The Personal Information Dispute Mediation Commission will cover both the public and private sector disputes. Also collective mediation procedures may be invoked in consideration of large scale but minimal damages to data subjects.
 * 8) In addition, a consumer organization's collective action will be allowed, but only for the suspension or injunction of activities infringing upon privacy and data protection subsequent to the mandatory collective mediation procedures. This is to avoid an avalanche of collective actions.

Amendments to the Act
The Park Geun-hye government has changed the Ministry of Public Administration and Security (행정안전부) into the Ministry of Security and Public Administration (안전행정부) subject to the newly organized government structure.
 * First amended by Act No. 11690 on March 23, 2013

Since the enactment of the current Act in 2011, massive data breach incidents have occurred from time to time. The government thought the companies, which used to collect the national ID, resident registration numbers, would not take sufficient caution and safety measures. Then heavier responsibilities will await those in charge of data protection and safety measures. At last, in August 2013, the Personal Information Protection Act was amended to prohibit ISPs from collecting and processing the national ID, to destroy the ID numbers possessed by them within two years from the enforcement date, and to add stiffer penalties including disciplinary action against company executives responsible for a serious lapse in personal data protection.
 * Recently amended by Act No. 11990 on August 6, 2013, effective on August 7, 2014

The amendment to the PIP Act comes into force on August 7, 2014, one year later. Failure to protect an individual's national ID number, for example, would constitute a serious violation. The newly added measure allows the Ministry of Security and Public Administration to demand the dismissal of top executives at companies found in violation of privacy rules and regulations. The new Act also would give the Ministry the power to impose fines in the form of surcharge up to 500 million won (equivalent to U$460 thousand) against companies that collect and store national ID numbers if they are lost, stolen, breached, or altered.