Jun 23, 2016

Korea Increases Penalties For Data Breach and Unauthorized Transfer of Data: Korea Communications Commission

In March 2016 Korea made amendments to its Act on the Promotion of Information & Communications Network Utilization and Information Protection (“Act”). The purpose of the Act is to both facilitate the utilization of information and communications networks and regulate for the protection of personal information including that of users of online service providers.  “Online service provider” includes any commercial website operator or telecommunications service provider; and “user” is defined as any person that uses the information and communications services of an online service provider.
Privacy law, Korea Communication Commission, Korea

The Act covers the collection, storage, use, processing, provision, destruction and similar disposition of personal information. The Act applies to Korean online service provider companies and, though the Act does not specify, may apply to foreign companies.

In determining whether the Act will apply in the case of a foreign website operator, the Korea Communications Commission (KCC) would likely consider factors including the location of the website’s server, whether the website is written in the Korean language or uses a Korean domain, or whether the operator conducts promotional activities in Korea.  In January 2014, the KCC fined multinational corporation Google 212 million Korean won (approximately US$200,000) for collecting Korean users’ personal information without properly obtaining their consent. This was the first time that the KCC had imposed an administrative sanction against a foreign corporation for violation of Korean personal information protection law.

The amendments, which will take effect on 23 September 2016, further enhance accountability for data protection as well as increase sanctions for data breach or unauthorised transfer of personal data. Sanctions will be increased to three times the actual damage suffered by customers in the event of a data breach; and in the event that a company does not obtain the necessary prior consent for transfer of personal information abroad, a statutory fine of up to 3% of revenue generated from its use will be imposed – up from 1%.  Criminal sanction may, also, be imposed.

In light of the stringent penalties soon to come into effect, it would be advisable for online service providers both in Korea, and with a connection to Korea, to exercise particular vigilance in their data protection compliance practices.
___
Sean Hayes may be contacted at: SeanHayes@ipglegal.com.  Sean is co-chair of the Korea Practice Team at IPG Legal. He is the first non-Korean attorney to have worked for the Korean court system (Constitutional Court of Korea) and one of the first non-Koreans to be a regular member of a Korean law faculty. Sean is ranked, for Korea, as one of only two non-Korean lawyers as a Top Attorney by AsiaLaw.  Sean is known for his proactive New York-style street-market advice and his aggressive and non-conflicted advocacy.  Sean works with some of the leading retired judges, prosecutors and former government officials working in Korea.

Sean's profile may be found at: Sean C. Hayes