On March 3, 2022, a new “Easy-to-Understand Manual on Consent for Personal Data Processing” (the “Manual”) and “Guideline for Writing Privacy Policies” (the “Guideline”) were published by the Personal Information Protection Committee of Korea (the “PIPC”). The PIPC is Korea’s central data privacy regulator for oversight and enforcement of personal data protection under the Personal Information Protection Act (the “PIPA”), Korea’s primary privacy statute governing the collection, use, disclosure, and other processing of personal information. The Manual and the Guideline warrant special attention from domestic and foreign corporations doing business in Korea, because they present a new set of criteria by which the PIPC may determine compliance with applicable privacy laws and regulations.
1. Overview
With digital transformation pervading all industries and the concomitant proliferation of personal data processing, the notion of “consent” has become complex, dynamic, and ambiguous. The PIPC’s 2021 Personal Data Protection Survey revealed that 34.9% of data subjects do not care to read or even glance at a service provider’s privacy policy, because they believe they have no choice but to agree to the privacy policy to access and use the services. Data subjects believe their consent as taken for granted, and thus feel vulnerable, powerless, and incapable of challenging any or all of a service provider’s privacy policies.
The Manual and the Guideline have thus been introduced to provide domestic and foreign businesses (“data controllers”) with a step-by-step guidance for drafting their personal information management policies in accordance with Article 30 of the PIPA and Article 31 of the Enforcement Decree of the PIPA and ensure that such privacy policies are not overly formal but written to adhere to the personal data protection principles under Article 3 of the PIPA by proposing specific case scenarios. By specifying how a privacy policy should be written and made available to the public, the Manual and the Guideline intend to increase transparency of personal data processing with the ultimate goal of safeguarding the fundamental rights of consumers (“data subjects”) to control how their personal information is used and processed.
2. Key Components of the Manual: Four principles for data controllers to follow
when obtaining consent
The PIPA requires a specific and legitimate basis for the processing of personal information, the most representative being a data subject’s consent. In principle, a data subject’s express consent is required to process any of their personal information. Accordingly, to obtain such consent, a data controller is required under the PIPA to notify the data subject of: (i) the person (or entity) to whom the personal information will be furnished; (ii) the purpose of use of the personal information by the receiving person (or entity); (iii) the types of personal information to be furnished; (iv) the time period during which the person (or entity) will possess and use the personal information; and (v) their right to refuse to consent and the consequences of refusal.
(1) Minimization of Data Collected
A data controller bears both a legal and moral responsibility to a data subject to: clarify the purpose for managing their personal information, lawfully collect the personal information, and limit the information collection to the minimum extent necessary to achieve such purpose. In other words, a data controller must manage the data subject’s personal information so as to minimize the infringement of the data subject’s privacy as much as possible.
While one consent form may be used, separate consents must be obtained for each type of processing activity (e.g., collection, use, third-party provision) and each type of personal information (e.g., unique identification information, geolocation information, biometrics information). For instance, a data subject’s contact information may consist of several individual pieces of information, and the data subject must be notified of the purpose of collection of each such piece of information, and only the minimum necessary extent of such information may be collected and processed for such purpose. The burden of proof is on data controllers to demonstrate that the extent of personal information collected, processed, and/or provided to a third party is proportionate to the purpose for which it is required.
Data controllers must also delineate and fix the list of third-party recipients that will share the personal information, and the scope of such list cannot be left open to subsequent expansion by using terms like “etc.”.
(2) Transparency
A data controller shall provide a clear, unequivocal notice to data subjects of the details of how their personal information is being used and/or will be used, and obtain their consent to the following matters before their personal information is collected and used: (i) the purpose of the collection and use; (ii) the items of personal information that will be collected; (iii) the duration of the possession and use of the personal information; and (iv) the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to any such refusal.
When obtaining consent in writing, such matters (i.e., (i)-(iv) above) must be clearly indicated to make them easier to recognize. In particular, the font size of any important parts of a written consent form must be at least 20% larger than the rest of the font used in the consent form, and the minimum font size used to mark the important parts should be in at least a 9-point font. When obtaining consent in electronic documents, such as on websites and mobile apps, the original version must be in at least a 9-point font.
(3) Integrity
A data controller must verify that data subjects actually gave their consent and ensure that the consent was intentionally and voluntarily given. The description of the types of information for which data subjects are providing their consent to collection must be easily understandable to anyone and provided in plain language through writing, telephone, Internet, mobile app, e-mail, or other media; and in the case of any audio or voice notification, the message must be delivered at a daily conversational pace/speed. Excessive legalese or run-on sentences must be avoided; and where technical terms cannot be avoided, additional explanations must be provided. Furthermore, the “I agree” checkbox must not be set as the default response when displaying a privacy policy online. If the “I agree” checkbox is already marked, the data subject could proceed to the next screen without reading it; it would be difficult in such case to view such inadvertence as intentional or voluntary consent.
If the data subject or online service user is under the age of 14, their legal guardian’s consent must be obtained. During the sign-up process for an online membership, the data subject’s age should be verified by having the data subject enter their legal date of birth, or by displaying a blank checkbox which the data subject may then mark as checked to confirm they are over the age of 14.
(4) Informed Consent
A data controller shall guarantee data subjects’ rights to make a decision and give a fully informed consent. A data controller must not refuse to provide its goods or services, or otherwise disadvantage a data subject for refusing to consent to the data controller’s processing of their personal information beyond the minimum extent necessary to use the data controller’s services. For instance, if an end user (i.e., data subject) is unable to proceed to the next webpage on a data controller’s corporate website without consenting to the processing of their personal information beyond the minimum extent necessary, then the data subject’s consent cannot be deemed to constitute informed consent.
Moreover, a data controller must guarantee that personal information is kept accurate, complete and up-to-date to the extent necessary to manage the personal information. When any part of the collected personal information becomes unnecessary or obsolete, it shall be continuously updated and managed as such, e.g., by being destroyed. Furthermore, personal information must be collected only at the time it is required. Collection of personal information when it is uncertain whether such information will actually be used may constitute excessive collection of personal information, thereby putting the data subjects’ fundamental right to give informed consent at risk of infringement.
3. Key Components of the Guideline: Basic principles to consider when drafting
privacy policies
A data controller must bear in mind the following principles when drafting a privacy policy and must be transparent in setting forth the details concerning its processing of personal information, such as by regularly updating its privacy policies to reflect its processing activities and privacy practices. Many data subjects have noted that privacy policies effectively limit their privacy rights by using language that is too abstract and complex to understand.
1) A data controller must openly disclose the status of its personal information processes with
transparency and specificity; among other things, the data controller must show that the personal information being processed is the minimum necessary for the purpose for which such personal information was collected.
understood. Foreign business operators are required to provide information in plain Korean to enable domestic users in Korea to be able to fully understand their privacy policies. Article 18(1) of the Standard Personal Information Protection Guideline stipulates that a data controller must explicitly distinguish each item in the privacy policy with clarity, precision, and specificity in easy-to-understand terms.
controller is seeking consent for the collection, use, and provision of the data subjects’ personal information. This principle (i.e., the right to be informed) is analogous to Articles 13 and 14 of the EU’s General Data Protection Regulation, which state that any processing of personal information must be clear and transparent to individuals that personal information concerning them is being collected, used, consulted, or otherwise processed, and to what extent the personal information is, or will be, processed.
the case of any such amendment, the privacy policy must explicitly provide both pre- and post-amendment content for data subjects to be able to compare and confirm such amendments with ease.
4. Conclusion
Foreign and domestic businesses operating in Korea should monitor and stay abreast of the PIPA requirements and any amendments affecting their business, as sanctions for breach of the PIPA are not insubstantial (e.g., an administrative fine of up to KRW 10 million may be imposed for failure to disclose a privacy policy) and the PIPC is increasingly heightening its scrutiny. With the publication of the Manual and the Guideline, there is less excuse for failing to ensure continuing compliance.
