본문 바로가기
Jipyong News|KOREA LEGAL INSIGHT
Improving Data Security: Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators
2024.10.07
On April 4, 2024, the Personal Information Protection Commission of Korea (the “PIPC”) released its Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators (the “Guidelines”). The Guidelines provide clear standards for foreign business operators to ensure compliance with the Personal Information Protection Act (the “PIPA”) and are specifically aimed at significantly improving the data security of Korean data subjects. The key details of the Guidelines are as follows:


Foreign business operators that are subject to the PIPA

According to the Guidelines, foreign business operators are subject to the PIPA if they meet any of the following criteria: (i) they offer goods or services to Korean data subjects; (ii) they conduct personal data processing activities that impact Korean data subjects; or (iii) they maintain a place of business within Korea.
 
(i)    Offering goods or services to Korean data subjects

"The Guidelines provide that the PIPA applies to foreign business operators if they provide goods or services to Korean data subjects. To assess whether a foreign business operator is indeed offering such goods or services to Korean consumers, several factors may be considered such as the language used, currency accepted, and specific form and approach employed in the provision of those services.

Examples of scenarios in which the PIPA is applicable include:
(1)  If a foreign business operator explicitly indicates that it provides goods or services to Korean data subjects;  
(2)  If a foreign business operator operates a website using Korean domain (e.g., .kr, ko-kr);
(3)  If a foreign business operator launches a service on the mobile application market targeting Koreans; or
(4)  If a foreign business operator provides services only in the Korean language.

Conversely, the PIPA does not apply in certain situations where a foreign business operator offers goods or services online but expressly restricts access to Korean data subjects (e.g., blocking access from Korean IPs). Therefore, we advise the foreign business operators to carefully assess whether they are subject to the PIPA based on these considerations.
 
(ii)  Conduct personal data processing activities that impact Korean data subject

Even if the foreign business operator does not directly offer goods and services to Korean data subjects, it may still be subject to the PIPA if it processes their personal information in a manner that has a direct and significant impact on them. For example, if a foreign business operator collects personal information from Korean data subjects through a service not specifically aimed at Korean data subjects but subsequently discloses this information on its website, such actions could be considered to have a substantial impact on Korean data subjects according to the PIPA.
 
(iii) Maintaining a place of business within Korea

The Guidelines also indicate that a foreign business operator is subject to the PIPA, if it has a place of business in Korea where the personal information of Korean data subjects is processed. In such case, a detailed assessment must be conducted to verify the relationship between the processed personal information and the foreign business operator’s business activities in Korea.


Legal requirements under the Guidelines

The foreign business operators subject to the PIPA are required to adhere to the following legal requirements as outlined in the Guidelines:
 
 
1.    Leakage notification and reporting obligations: If the foreign business operator becomes aware of a loss, theft, or leakage of personal information that has left the control of the personal information controller, resulting in a situation where a third party could gain access to the information (“Leakage”), it is required to notify the affected data subjects within 72 hours. If a Leakage involves the personal information of 1,000 or more subjects, sensitive or unique identification information, or results from illegal external access, the foreign business operator must report the incident to the PIPC within 72 hours.
 
2.    Disclosure of privacy policy: The foreign business operator must provide a personal information processing policy (the “Policy”) in the Korean language, and the Policy should be created in accordance with the requirements of the PIPA rather than merely translating policies used in other countries. The Policy must clearly identify the personal information processor. If the personal information of Korean data subjects is processed abroad, the Policy must also specify that the information is handled overseas and also state the country and the name of the business operator responsible for processing the data.
 
3.    Rights of data subjects: Specific methods must be established to allow data subjects to request access to, correction of, or deletion of their personal information, among other rights. If another country’s laws restrict the disclosure of information requested by a Korean data subject, the foreign business operator must assess whether complying with the foreign law outweighs the need to protect the personal information.
 
4.    Consent requirement for personal information of minors under the age of 14: When a foreign business operator processes personal information of minors under the age of 14, it must obtain consent from their legal representative and verify that such consent has been granted.
 
5.    Restricting overseas transfer of personal information: The PIPA generally prohibits the transfer of personal information abroad, with a few exceptions (e.g., obtaining specific consent from the data subject).
 
6.    Liabilities for damages: The PIPA permits Korean data subjects to seek damages from a company in cases of harm, such as Leakage. To address this liability, the foreign business operators must implement necessary measures, such as securing insurance or setting aside deductibles.
 
7.   Delegating personal information process: If the foreign business operator engages a third party to process Korean data subject’s personal information, it must clearly distinguish between “provision” and “consignment” of the data and comply with relevant obligations under the PIPA.
 
8.    Designating a domestic agent: The foreign business operator must appoint a domestic agent if (i) it does not have an address in Korea but its sales or scale of personal information retention exceeds a certain threshold, or (ii) if the PIPC determines that designating a domestic agent is necessary.
 
9.    Investigation of the PIPA violations: The PIPC may initiate an investigation into the foreign business operator if it discovers or suspects violations of the PIPA. It can request relevant documents and send officials to the foreign business operator’s premises to gather statements, observe operations, and review records. Furthermore, the PIPC may also require key individuals to attend and provide statements as needed.
 
10.  Corrective measures and sanctions: If the PIPC confirms that a foreign business operator has violated the PIPA, it may take necessary actions such as ordering cessation of personal information infringement, temporarily suspending personal information processing, imposing fines or administrative penalties, or any other necessary actions to protect and prevent further breaches.


Takeaway

The Guidelines are designed to help foreign business operators understand their obligations under the PIPA and navigate the complexities of data protection. Should a foreign business operator infringe on the personal information of a Korean data subject, affected subjects have the right to seek relief and remedy through the dispute mediation committee and may claim damages for any harm suffered. To avoid these potential consequences and ensure proper adherence to the law, any foreign business operator engaging with the Korean market should meticulously review the Guidelines. By taking these steps, foreign business operators can safeguard against violations and maintain compliance with the PIPA.