Companies to face enhanced privacy enforcement in South Korea in 2021

31 Dec 2020 3:00 am by Wooyoung Lee

Personal Information Protection Commission

Businesses in South Korea should significantly step up reviews of their data-collection and management practices to ensure they comply with South Korean privacy rules and keep abreast of potential changes to the country’s privacy law, as the country’s regulator looks to strengthen its enforcement authority in 2021.

The Personal Information Protection Commission, or PIPC, is planning for a wider inspection of data-handling practices in the telecom industry, while preparing to draft a revision of the Personal Information Protection Act that will include a plan to impose fines of up to 3 percent of annual turnover for privacy violations.

The PIPC is the youngest and smallest ministerial-level government agency in South Korea with some 150 officials that launched in August 2020.

The creation of the PIPC as the country's sole privacy enforcer was part of the South Korean government’s agenda to win an adequacy decision from the European Commission under the General Data Protection Regulation, or GDPR, to ensure the free flow of personal data between the EU and South Korea.

The young agency has the authority to carry out inspections, investigations and impose penalties for privacy violations, and its plan to heighten privacy oversight will affect various sectors and businesses that handle personal information one way or another.

GDPR adequacy outlook

The agency’s chairman, Yoon Jong-in, said recently in a discussion with journalists that he looks forward to having an “early decision” for an adequacy finding from the EU soon.

An “early decision” is considered a crucial stage in the negotiations with the European Commission to win an adequacy decision. According to PIPC officials, reaching the early decision status raises the prospect for the country to win a final adequacy decision from the European Commission. After an early decision, the EC invites its member countries to review a draft decision and sends it to the European Data Protection Board for further review and feedback.

South Korea’s discussion with the EU on an adequacy finding dates back to 2015. The country had reformed its privacy law in line with the standards set by the GDPR.

Privacy investigation

The PIPC has recently identified two priority areas for privacy enforcement next year.

The regulator plans to carry out an inspection of the telecom industry and the way telecom companies and their retail stores and affiliate businesses handle the personal information of customers. The plan was prompted by a recent sanction decision on LG UPlus over the mishandling of personal data of customers at retail stores in December.

The PIPC investigators suspect the practice of mishandling of customers’ data is prevalent in the telecom industry and pledge to conduct a sector-wide inspection in 2021.

Another area of concern is food-delivery services and the way their partner payment services mishandle personal information of customers collected from online food-order systems.

Some payment services that work with Delivery Hero’s South Korean subsidiary Yogiyo have been under a probe by the PIPC and the police over the alleged mishandling of customer data, such as home addresses, cell phone numbers, payment methods and even pass codes to apartments.

The PIPC also warned that foreign businesses that are reluctant to cooperate with the regulator for privacy probes will be subject to further regulatory action. The regulator recently decided to refer Facebook and its top privacy officer to the prosecution service, accusing the social media giant of interfering with the investigation by submitting false or inaccurate information to the regulator.

Facebook was hit with fines of 6.7 billion won ($6.1 million), the highest fine ever issued for privacy violations, for illegally sharing data of South Korean users with third-party applications, after a two-year probe triggered by the Cambridge Analytical controversy.

Revision to privacy law

The regulator recently outlined potential changes to the Personal Information Protection Act, or PIPA, that include increasing fines to up to 3 percent of annual turnover for privacy violations, scrapping criminal liability against privacy officers and reforming procedures for data transfers abroad.

The announcement of a second revision to the PIPA came just five months after the law took effect in August following a major revision. The changes sought by the regulator intend to address legal loopholes and include some issues that were left off from the previous revision that the regulator thinks crucial to enhancing its enforcement capabilities and plans to safeguard personal information.

Related Articles