In March 2016 Korea made amendments to its Act on the Promotion of Information & Communications Network Utilization and Information Protection (“Act”). The purpose of the Act is to both facilitate the utilization of information and communications networks and regulate for the protection of personal information including that of users of online service providers. “Online service provider” includes any commercial website operator or telecommunications service provider; and “user” is defined as any person that uses the information and communications services of an online service provider.
The Act covers the collection, storage, use, processing, provision, destruction and similar disposition of personal information. The Act applies to Korean online service provider companies and, though the Act does not specify, may apply to foreign companies.
In determining whether the Act will apply in the case of a foreign website operator, the Korea Communications Commission (KCC) would likely consider factors including the location of the website’s server, whether the website is written in the Korean language or uses a Korean domain, or whether the operator conducts promotional activities in Korea. In January 2014, the KCC fined multinational corporation Google 212 million Korean won (approximately US$200,000) for collecting Korean users’ personal information without properly obtaining their consent. This was the first time that the KCC had imposed an administrative sanction against a foreign corporation for violation of Korean personal information protection law.
The amendments, which will take effect on 23 September 2016, further enhance accountability for data protection as well as increase sanctions for data breach or unauthorised transfer of personal data. Sanctions will be increased to three times the actual damage suffered by customers in the event of a data breach; and in the event that a company does not obtain the necessary prior consent for transfer of personal information abroad, a statutory fine of up to 3% of revenue generated from its use will be imposed – up from 1%. Criminal sanction may, also, be imposed.
In light of the stringent penalties soon to come into effect, it would be advisable for online service providers both in Korea, and with a connection to Korea, to exercise particular vigilance in their data protection compliance practices.
Sean Hayes may be contacted at: [email protected] Sean is co-chair of the Korea Practice Team at IPG Legal. He is the first non-Korean attorney to have worked for the Korean court system (Constitutional Court of Korea) and one of the first non-Koreans to be a regular member of a Korean law faculty. Sean is ranked, for Korea, as one of only two non-Korean lawyers as a Top Attorney by AsiaLaw. Sean is known for his proactive New York-style street-market advice and his aggressive and non-conflicted advocacy. Sean works with some of the leading retired judges, prosecutors and former government officials working in Korea.
Sean’s profile may be found at: Sean C. Hayes
- Korea’s Data Privacy and Data Protection Law
- Constitutional Court of Korea Declares Real Name Verification Unconstitutional
- Tax Audits in Korea
- Constitutional Court of Korea Declares Internet Real-Name Online Identification System Unconstitutional
- Consequences of a Business Transfer in Korea: Employee Transfer?
- Searching Trademark & Service Marks in Korea: Register your Trademarks/Service Marks Prior to Doing Business in Korea
- Foreign Account Tax Compliance Act (FACTA) in Korea
- Korea’s New Electronic Passport Without Resident Registration Number in 2020
- Publicity Rights/Portrait Rights in Korea: Entertainment Law Basics in Korea
- Did Korea Kill Uber? South Korea vs. Uber