The Personal Information Protection Act was enacted to protect data subjects and to make personal information controllers take responsibility for personal information protection. Since the establishment of the Personal Information Protection Act in 2011, it has been protecting data subjects from personal data breach damage.
The Personal Information Protection Commission (PIPC) submitted a government bill to the National Assembly in September 2021 and mediated differences of opinions through communication with domestic and overseas stakeholders such as relevant ministries, the academic and industrial circles, and civic groups. After two years of in-depth discussion, the bill was finally passed at the National Assembly. The amended Act was announced on March 14, 2023 and will take effect six months later, on September 15, 2023.
What is New in the 2023 Amendment to the Personal Information Protection Act
Expansion of data subjects’ rights
In the amendment to the Personal Information Protection Act, the right to demand personal information transmission was newly inserted as part of the expansion of data subjects' rights.
With the newly established right to demand personal information transmission, a data subject is now able to demand the transmission of their information to themselves or third parties (other personal information controllers or personal information management institutions). As a result, limited MyData services now can be expanded with the newly established right to demand personal information transmission.
Article 35-2 of the Personal
Information Protection Act (Request for Personal Information Transmission) |
(1) A data subject may demand
to transmit their personal information items that satisfy all of the following
requirements to themselves from a personal information controller meeting the
criteria prescribed by Presidential Decree, taking personal information
processing competences, etc., into account. [This Article Newly Inserted, Mar.
14, 2023] |
In addition, a new article about the right to demand an explanation about an automated decision and the right to deny such a decision has been inserted. Based on the newly established article, a data subject can demand an explanation about an automated decision or deny such a decision where a decision made from personal information processing by an automated system have a crucial impact on their rights or obligations.
Article 37-2 of the Personal Information Protection Act (Data Subjects’ Right, etc. to Automated Decision) |
(1) A data subject can request the suspension of the processing of his/her personal information from the personal information controller or withdraw his/her consent to personal information processing. In such cases, the data subject can request the suspension of the processing of his/her personal information items subject to registration from the public institution or withdraw his/her consent to personal information processing under Article 32. <Amended on Mar. 14, 2023> (2) Where a personal information controller receives a request for the suspension of information processing, referred to in paragraph (1), the personal information controller shall suspend the whole or part of the processing of the personal information as requested: Provided, That the personal information controller may deny the data subject’s request, if falling under any of the following subparagraphs. <Amended on Mar. 14, 2023> |
Improvement in unreasonable consent systems
In the past, a personal information controller could collect personal information without a data subject's consent where it is inevitably necessary to execute and perform a contract with the data subject.
However, the amended Act stipulates that a personal information controller can collect or use personal information of a data subject where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject.
Article 15 of the Personal Information Protection Act (Collection and Use of Personal Information) <Amended on Mar. 14, 2023> |
(1) A personal information controller may collect personal information in any of the following circumstances, and use it with the scope of the purpose of collection: 4. Where it is necessary to take proper measures at the request of the data subject in the process of executing or performing a contract with the data subject; |
Deletion of the special provisions concerning providers of information and communications services
In the past, where a person collected personal information without the consent of a data subject, an offline enterprise was subject to a fine not exceeding 50 million won and an online enterprise was subject to a fine equivalent to less than three-hundredths of total sales.
However, the amended Act stipulates the same penalties applies to all personal information controllers regardless of the types of their businesses, online or offline.
In addition, the amended Act unifies “personal information controllers” and “providers of information and communications services” which used to be distinguished from each other. Special provisions similar to or overlapping general provisions, such as consent to the collection and use of personal information, the collection of personal information of children aged under 14, and data breach notification, are integrated into general provisions and are expanded to all fields.
Establishment of portable visual data processing device operation standards
As the use of portable visual data processing devices such as CCTVs, drones, and self-driving cars is growing, relevant provisions were newly inserted. A person who intends to operate any portable visual data processing device for part of his/her activities was allowed for filming of persons or images of things related to the persons at open spaces only when satisfying certain requirements.
Article 25-2 of the Personal Information Protection Act (Limitation to Operation of Portable Visual Data Processing Devices) |
(1) A person who intends to operate any portable visual data processing device for part of his/her activities shall not take pictures of or film persons or images of things related to the persons with the device at open places, except in any of the following circumstances: |
Article 64-2 of the Personal Information Protection Act (Imposition of Penalty Surcharges) |
(1) The Commission may impose a fine equivalent to less than three-hundredths of total sales on the personal information controller in any of the following circumstances: Provided, That up to 2 billion won may be imposed as administrative surcharges on the personal information controller having no sales or sales difficult to calculate as prescribed by Presidential Decree. (2) Where the Commission imposes a fine pursuant to paragraph (1), the fine shall be calculated on the basis of the sales except the sales not related to the violation. [This Article Newly Inserted, Mar. 14, 2023] |
SECTION 4 Overseas Transfer of Personal Information of the Personal Information Protection Act <Newly Inserted, Mar. 14, 2023> |
Article 28-8 (Overseas Transfer of Personal Information) (1) A personal information controller shall not provide or keep personal information aboard or outsource the processing of such information abroad: Provided, That the personal information may be transferred abroad, in any of the following circumstances; |
Article 28-9 (Order to Suspend Overseas Transfer of Personal Information) (1) The Commission may order to personal information controllers to suspend overseas transfer of personal information where personal information is continuously transferred abroad or additional overseas transfer is expected, in any of the following circumstances; |
-
PREV The First Half of 2023 of SINSIWAY
2023-08-24