What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
There are a number of laws, regulations and guidelines relating to the collection and use of personal information in South Korea.
The Personal Information Protection Act (PIPA), the Enforcement Decree of the PIPA and the Enforcement Rules of the PIPA work together to set the general requirements on personal information processing and protection in South Korea, and are designed to protect the freedoms and right of individuals.
The Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (The Network Act), in conjunction with the Enforcement Decree of the Network Act and the Enforcement Rules of the Network Act, protects personal information in the context of communications services, and promotes cybersecurity.
The Credit Information Use and Protection Act (Credit Information Act), in conjunction with the Enforcement Decree of the Credit Information Act, and the Enforcement Rules of the Credit Information Act, regulates credit information companies (i.e. those who collect, use, investigate, manage or provide credit information). Together, they set the security measures that credit information companies must follow to protect credit information computer systems.
The Act on the Protection and Use of Location Information (Location Information Act) and the Enforcement Decree of the Location Information Act protects “location information” and “personal location information”.
Rights of Individuals under PIPA
PIPA sets out the rights of data subjects whose personal information is being processed. This includes the right to:
- be informed of the processing of their personal information;
- choose whether to consent and the scope of the consent;
- confirm whether their information is being processed and to request access, including copies;
- suspend the processing and request correction/erasure/destruction of their personal information; and,
- to appropriate redress for damages relating to their personal information being processed.
The current authorities responsible for enforcement of data privacy law and regulations in South Korea include the Personal Information Protection Commission (PIPC) and the Ministry of the Interior and Safety (MOIS):
PIPC – The PIPC is an independent body established under the Personal Information Protection Act to protect the privacy of individuals. The key role of PIPC is to deliberate on and resolve personal data-related policies, coordinate opinions among government agencies on processing of personal data, etc.
MOIS – The MOIS is responsible for personal data policy development and investigation and the enforcement of personal data protection legislation.