Professor Abu Bakar Munir
In March 2011, the South Korean government adopted a more comprehensive law titled the Personal Information Protection Act (PIPA). The new law contains comprehensive data protection principles, which will apply to all organizations and individuals handling personal data. The PIPA uses the term “Personal Information Processor” which includes a public institution, legal person, organization and individual that processes directly or indirectly personal information.
Interestingly, the PIPA requires privacy impact assessment to be carried out by the public institution in case of probable violation of personal information of data subjects in the processing of personal information. For non-public institution, the PIPA simply states that they “shall make efforts in a positive way to conduct Privacy Impact Assessment if the violation of personal information of data subjects is highly probable in operating the personal information files.” Two different test are used – “probable” for the public institution and “highly probable” for the private sector and other organizations and individual.
The personal information processor is required to notify the aggrieved data subjects without delay if personal information is leaked. In case of a large scale of data breach (above the level to be specified by the Presidential Decree), notification must also be given to the Minister of Public Administration and Security.
Article 40 of the PIPA establishes the Personal Information Dispute Mediation Committee which will mediate any dispute over personal information. The Committee shall consist of not more than 20 members to be appointed by the Minister of Public Administration and Security. The PIPA sets out in significant detail on the status of the committee members, processes, procedures of the mediation, etc.
The PIPA gives several rights to the data subjects. These include the right to access personal information, the right to correct and delete, and the right to suspend the processing. The new Act also allows class action against the processor.
Chapter 9 of the PIPA, from articles 70 – 75 provide for criminal offences and penalties. Any person who alters or deletes personal information processes by the public institution and causes suspension, paralysis or other severe hardship to the public institution commits an offence and shall be liable to imprisonment for not more than 10 years or by a fine not exceeding 100 million won. Other offences include providing personal information to a third party without the consent of the data subject or receiving such information, processing sensitive data, etc. A company and its employee, agent or representative can be held liable for the criminal offences unless the company or individual was not negligent in taking due care and supervisory duty to prevent the violation.
Article 75 provides a very long list of possible situations where someone can be made liable to be fined for negligence not exceeding 10, 30 and 50 million won. These include a person who has installed and operated visual processing devices and a person who has failed to destroy the personal information, etc.