South Korea’s Personal Information Protection Act (PIPA)
Data privacy in South Korea is recognized in The Constitution of South Korea, recognizing communications and freedom of expression as a fundamental right. PIPA went into effect in September 2011 and was considered one of the world’s most stringent data protection laws. The goal of PIPA was to develop a ‘data economy’ by introducing a legal basis on which data may be used in a more flexible way provided it’s reasonably related to the original purpose for which it was collected for data privacy in South Korea. This law dictates standard procedures for data transfer and protects citizens’ rights and interests.
PIPA was amended in 2020, enforcing specific rules for data processing, collection and disclosure. An additional amendment was published by the Personal Information Protection Council (PIPC) for public comment on January 6, 2021. The proposed amendment introduces the right to data portability and the right to be excluded from automated decision-making, diversifies the methods of transferring personal data overseas and includes pseudonymised data in the scope of information that a data handler is required to destroy.
Amendments Passed in 2020
1st Amendment
Introduces the concept of “pseudonymised data” and distinguishes between personal data and pseudonymized data. Pseudonymized data can typically be processed without consent when the purpose is for research, statistics and public records.
2nd Amendment
Allows entities to reasonably use personal data without consent, if data is being used “within a scope that is reasonably related to the original purpose of collection.”
3rd Amendment
Allows data to be merged under special conditions. Data sets by two different processors may be amalgamated if performed by specialized agencies that commit to meeting regulations in compliance with PIPA requirements.
Key Definitions
Personal Data
PIPA has a broad definition of personal data, which is any data relating to a living natural person that:
- Identifies a particular individual by his/her full name, resident registration number (‘RRN’), image, or the like
- May be easily combined with other information to identify a particular individual
- Falls under the above two categories which is pseudonymised, thereby becomes incapable of identifying a particular individual without the use or combination of additional information for restoration to its original state
Sensitive Data
Personal information regarding an individual’s ideology, faith, trade union or political party membership, political views, health, sexual orientation and other personal information that may cause a material breach of privacy. Further includes genetic information, criminal records, information on an individual’s physical, physiological, and behavioral characteristics for the purpose of identifying a specific individual and racial/ethnic data.
Pseudonymisation
Data from which the specific individual cannot be identified without the use or combination of additional information for restoring to the original state.
Anonymised Information
Any information which cannot be used to identify a specific individual even if the information is combined with other information, after reasonably considering factors such as time, cost, and technology (not subject to PIPA).
Similarities between PIPA and GDPR
| PIPA | GDPR | |
|---|---|---|
| Purpose of Law | Safeguards the rights and interests of data subjects by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. | Aims “to enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.” |
| Scope | Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties. | Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. |
| Consent | Decrees “technical, managerial and physical measures … necessary to ensure the safety, so that personal information may not be lost, stolen, leaked, altered or damaged.” | Decrees appropriate technical responses and measures “to ensure a level of security appropriate to the risk.” |
Differences between PIPA and GDPR
| PIPA | GDPR | |
|---|---|---|
| Personal Data Definition | Has a more detailed definition of personal data. | Sets precedence when it comes to the definition of personal data, but it’s not as specific as PIPA’s definition. |
| Breach Definition | Does not define a breach, but refers to it as an event where personal information has been breached. | Defines data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. |
| Officer In Charge | Requires that the Personal Information Processor appoint a Privacy Officer. | Requires that the Controller appoint a Data Protection Officer. |
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.