New South Korean Amendments Include New Data Breach Notification Requirements, Expanded Data Protections

The Act on Promotion of Information and Communications Network Utilization and Information Protection (the “ICNA”) as amended was promulgated on February 17, 2012. The ICNA applies to “information and communications service providers” (“ICSPs”) which are defined to be 1) commercial providers of information services (including those provided by way of using a telecommunications service (e.g., internet service), typically online service providers (including content providers and application providers)), or 2) telecommunications service providers (including facilities-based carriers, resale carriers and value-added service providers).

Outline of Amendments

Amendments Regarding Resident Registration Numbers (“RRNs”): Article 23-2, to be effective on August 18, 2012

• No Collection of RRNs: No ICSP may collect or use RRNs, subject to certain limited exceptions.

• Two-Year Grace Period for Already-Collected RRNs: ICSPs that have already collected RRNs when users signed up for their service products must remove (or erase) all the RRNs retained by them by no later than August 18, 2014.

Regular Notification of Use of Sensitive Data and Personal Data: Article 30-2, to be effective on August 18, 2012

The ICSP must regularly notify its users of the specifics of its use of their sensitive data as well as personal data which have been collected/used by the ICSP pursuant to the ICNA.

Unused Personal Data: Article 29.2, to be effective on August 18, 2012

If personal data are unused for a certain period of time (to be prescribed by an executive order later on), the personal data may not be retained by the ICSP any longer, and the ICSP must dispose of them (as prescribed by an executive order).

Data Leak or Breach Notification: Article 27-3, to be effective on August 18, 2012

If it becomes aware of a data leak or breach, the ICSP must, without delay, notify the relevant data subjects and the Korea Communications Commission (“KCC”) of relevant information as prescribed by law, and take measures to minimize damages caused thereby.

Data Protection in the Network/Service Planning or Designing Stage and Appointment of the Chief Security Officer: Articles 45-2 and 45-3, to be effective on February 18, 2013

Further, the ICSP must take into account data protection-related concerns and reflect them in the relevant plan or design when constructing a new information and communications network or providing new information and communications services. The KCC may request ICSPs to implement certain data protection measures pursuant to its examination criteria for data protection. (The examination criteria have yet to be established.)

The amended ICNA encourages the ICSP to have a chief security officer (“CSO”) on an executive level, who will take charge of secure data-handling and the security of its data communications systems. It further encourages ICSPs to organize and operate a council composed of CSOs for joint prevention of and countermeasures to infringement incidents, exchange of relevant information, and so on.

Personal Information Management System (“PIMS”): Articles 47, 47-3 and 47-5, to be effective on February 18, 2013

A PIMS will be introduced in South Korea, effective on February 18, 2013. Under the amended provisions, certain entities (to be determined) must become certified by the KCC or the Korea Internet Security Agency or through KCC’s certification agencies as to whether their PIMS (i.e., established and operated by such entities) is in compliance with all of the pertinent requirements of the ICNA. Thereby, the PIMS regulation will be enhanced, in that the current PIMS certification system will be replaced with a new system, under which certain entities have a legal obligation to have their PIMS duly certified. The details relating to PIMS regulation, including the scope of entities subject to such obligation, are expected to be announced later this year.

Significance of the Amendments

It is notable that the above-mentioned amendments will further expand the bounds of data protection, to protect not only data subjects who are actively exercising their right to privacy, but also data subjects who are relatively inactive. (By comparison, the existing ICNA or the Data Protection Act (“DPA”) seems to assume data subjects who are active in the protection of their personal data, and the laws have so far focused on helping active data subjects’ exercise of their privacy rights.)

However, the amended ICNA, having in mind inactive online service users as well, in principle prohibits the collection of RRNs, that is, the most critical and material personal information in South Korea (first subhead under “Outline of Amendments” above); also extends protection with respect to personal data seemingly neglected by data subjects (third subhead under “Outline of Amendments” above); and provides data subjects with opportunities for considering the exercise of their privacy rights, through regular notification of the usage of their personal data as well as sensitive data (second subhead under “Outline of Amendments” above).

The new obligation (relating to RRNs) summarized under the first subhead under “Outline of Amendments” above appears to solve the problems unique to South Korea only that arise from the collection and use of RRNs. To our knowledge, the legal requirements summarized under the second and third subheads under “Outline of Amendments” above were introduced into law for the first time in the world.

The legal requirement (regarding data breach notification) summarized under the fourth subhead under “Outline of Amendments” above is relatively harsh as compared to a similar requirement under the DPA, in that the new ICNA requirement is triggered upon the occurrence of any data breach/leak. By contrast, the DPA requirement is triggered in limited circumstances, e.g., the DPA requires notification to the competent authority (that is, the Ministry of Public Administration and Security) only if the data breach/leak involves 10,000 or more data subjects. Therefore, entities regulated by the ICNA may have a greater burden than entities regulated by the DPA only, in the case of the occurrence of a data leak/breach.

Conclusion

In conclusion, while from the data subject’s standpoint the shift of focus has significance in terms of further expanded protection of personal data, the amended ICNA will impose additional burdens on companies handling personal data (particularly those in the online service sector) to which the ICNA applies.

Implementing regulations and ordinances are yet to be prepared, but will be available prior to August 2012 when some of the amendments will take effect.

Kwang Bae Park is a Partner and Head of the Technology/Media/Telecommunications team of Lee & Ko, Seoul. He may be contacted at kbp@leeko.com.