Privacy & Information Security Law Blog

As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.

As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament.  The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.

Principal provisions of the Regulations require that:

• Data handlers create and adhere to administrative and technical security procedures at each place of business where personal information is handled.
• Entities allow individuals to signify their consent to collection, use or disclosure of personal data by using email, telephone or through a website.
• Entities conform to PIPA’s additional consent requirements for certain “sensitive” or “unique identifying” information.
• Websites with 10,000 or more average daily users during the last three months of the preceding year (excluding those maintained by banks and other institutions) provide sign-up methods that use surrogate information instead of actual identification numbers.
• Data handlers with more than 50 employees appoint a specific data processing officer who will receive special training.

Other key provisions of the Regulations also define the types of video surveillance equipment that will be restricted by PIPA, and outline notice requirements for the legal use of security cameras.  Furthermore, the Regulations impose mandatory contractual provisions for data handler and sub-contractor agreements and require public disclosure of these relationships.  Finally, the Regulations clarify PIPA’s breach reporting requirement by stating that they apply to breaches that affect 10,000 or more individuals, and only allow class action complaints where data-related disputes involve 50 or more persons.

The Enforcement Decree and Enforcement Regulations remain subject to review.  However, PIPA becomes effective on September 30, 2011, and final versions of the regulations are therefore likely to be adopted before that date.