Privacy Law and Policy Reporter
Dr Chang-Boem Yi and Dr Ki-Jin Ok
The ‘information age’ has created efficiency and convenience for Koreans in both economic and social spheres. ,In fact, online and wireless communications have become ,a way of life for the nation.
It began with a goal of creating a communication network that would help create an efficient and compact government, enhance corporate productivity and improve living standards. From 1987 to 1996, the Project for a Nationwide Communication Network was implemented by the Korean Government, and produced a communication network. The network then spawned related databases in public administration, banking and finance, education, research, and national defence.
By June 2002, 25.7 million people (nearly 58 percent of the population) utilised the internet. Sixty seven percent of the households, or 9.8 million people, enjoy high speed internet services such as ADSL and cable. The widespread availability of high speed services is due to the Internet Service Speed-Up Project which has been in effect since 1995.
In Korea, everyone is accustomed to internet banking, internet shopping, emailing and so on. However, the sharp increase in the online population has also given rise to unexpected side effects, such as the infringement of people’s personal information. As a result, academics, journalists and non-governmental organisation activists have raised privacy issues and demanded effective countermeasures from the Government. As national concern over privacy and information protection mounts, the Korean Government has enacted information protection laws.
The Constitution of the Republic of Korea provides for the protection of the privacy and liberty of a citizen’s personal life. Article 17 states that all citizens shall enjoy the inviolable right to privacy. It purports to ensure every citizen has the right to control and determine their own personal information.
In line with the Constitution are a variety of statutes that provide for personal information. These statutes include the Protection of Communications Secrets Act 1993, ,the Telecommunications Business Act 1991, the Medical Service Act 1973, and the Act on the Protection of Personal Information Maintained by Public Agencies 1994. Additionally, other statutes such as the Use and Protection of Credit Information ,Act 1995, the Framework Act on Electronic Commerce 1999, the ,Digital Signature Act 1999, the Act ,on Promotion of Information and Communications Network Utilization and Information Protection, etc 1999, the Act on Protection of Consumers in Electronic Commerce, etc 2002 each contain their respective information protection provisions.
In 1999, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (Information Protection Act) was enacted to provide guidelines for personal information protection in the private sector. This Act, which came into effect in 2000, adopted eight principles recommended by the OECD Privacy Guidelines of 1980, including the principles of information protection, the rights of data subjects, the responsibilities of service providers, and possible remedies following personal information infringements.
The Act on the Protection of Personal Information Maintained by Public Agencies has comprehensive provisions for protecting personal information managed by computers ,of public agencies.
In the next part of this article, personal information protection both ,in the private sector and in the public sector of Korea will be discussed briefly. The Information Protection Act will be explained as the representative legal framework which is applied to ,the private sector. The Act on the Protection of Personal Information Maintained by Public Agencies will also be described for its role in introducing personal information protection to the public sector.
In the scope of the Information Protection Act, ‘data subject’ is ,defined as someone who utilises the information and communications services rendered by the providers of information and communications services. The purpose of the Information Protection Act is to protect the personal information of such users.
The main subjects of the Act are ‘providers of information and communications services’ (the service providers). Other subjects are persons who seek profit by either providing information or intermediating the provision of information, while utilising the telecommunications services. Specific offline companies such as travel agencies, airlines, hotels, and educational institutes are also covered by the Act.
The term ‘personal information’ means the information pertaining to any individual who is alive, which contains any code, letter, voice, sound, image and so on that make it possible to identify such an individual by his ,or her name and resident registration number, or other means (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information).
User consent is necessary when the service provider intends to collect the user’s personal information and provide it to third parties beyond the guidelines prescribed in the Act or specified in the service contract. The user is entitled to control his or her own information and the service provider must first seek permission to divulge personal information to third parties.
However, user consent is unnecessary if personal information is used to effect a service contract or to adjust fees for the provision of the services. It is also unnecessary under special provisions that exist in the ,Act or other legislation, or when the personal information is processed ,to the extent that the user is unidentifiable so as to compile statistics, conduct academic research ,or conduct a market survey.
Also under the Act, the user may at any time withdraw his or her consent given to the provider. Upon receiving a withdrawal of the consent, the provider must promptly take necessary measures such as disposing of personal information gathered or suspending the ‘out of purpose’ use. Whereas other Acts and subordinate statutes require the preservation of such personal information, this is not the case with this Act.
Each user is entitled to examine his or her personal information. If that information is erroneous, he or she is entitled to request corrections.
Without the consent of a user, the provider cannot gather sensitive information about a user, including ideology, faith and medical history, which is likely to infringe excessively on the rights, interest and privacy of a user.
When the service provider intends to gather personal information from users under 14 years of age, whether for its own use or to convey the information to any third party, the service provider must obtain consent from the children’s legal representative. In this case, the provider may ask for the necessary minimum information, including the name and so on of the legal representative without his or her prior consent, in order to pursue the agreement of the legal representative.
The Personal Information Protection Guidelines indicate a few examples of how the service provider can obtain consent from the children’s legal representative, such as by:
In September 2002, the Ministry of Information and Communication investigated online game companies and imposed fines on companies which didn’t have any due processes for obtaining consents from the legal representative.
The legal representative is entitled to request access to, or correction of, the child’s information. After receiving a request for corrections, the provider must cease to use or give out the erroneous information until it is corrected. The legal representative also has the right to withdraw his or her consent.
It is prohibited to send unsolicited advertising email (spam) after an addressee explicitly refuses such emails.
Unsolicited advertising email should contain the following:
In the event that a user suffers damage from the service provider violating the information protection provisions, the user may claim compensation from the provider. In this case, the provider will be held responsible if it fails to prove the non-existence of an intention to infringe, or the absence of negligence causing such violations.
Claims for damages may be filed with the Personal Information Dispute Mediation Committee, as explained below, or through the court system.
The service provider is required to collect the least amount of personal information within the ambit of its indicated purposes. The provider cannot refuse to provide services to ,a user who gives only the minimum required information.
No sensitive information regarding political opinions, religious or philosophical beliefs, or past history of health problems can be gathered for any purpose, except when the user willingly provides it or other laws require the collection of such information.
The service provider is required to notify and explicitly inform its users ,of how users’ personal information ,is processed by the Information Protection Act to ensure the full authority of the users. In so doing, the users can allow or refuse the collection and use of their own personal information.
When collecting personal information, the service provider shall notify the following to users or explicitly note in the general conditions for use:
At the time of business transfers or mergers and acquisitions (M&As) when personal databases are shared between the parties, the transferor or transferee shall notify data subjects of the following:
|−||the ground (for example, a business transfer or M&A) for ,the transfer of the database; and|
|−||the name, address and telephone number of the transferee; and|
|−||the fact of transfer of database, and the name of the new provider;|
|−||the name of personal information manager, department, title and telephone number or other contact details of the new provider;|
|−||how the information is to be used;|
|−||the particular personal information to be received;|
|−||the pertinent information on access to or correction of personal information; and|
|−||the period of maintenance and utilisation of personal information.|
When the service provider authorises a third party to process the collection, handling and maintenance of personal information, the provider must notify the users of that fact. In such a case, the provider is responsible for any damages that the authorised third party causes if violating information protection provisions.
The service provider may use or convey to the third parties personal information beyond the purposes indicated at the time of collection ,only with the consent of the data subject.
But in cases where information collection is necessary to calculate ,the charges for information and communication services, or to conduct statistical works, academic research or market surveys without exposing any individual particulars, or where other laws demand the disclosure of personal information, the provider may use or convey such information to the third party without user consent.
The service provider must promptly take necessary measures when users request access to or correction of their own personal information. In such cases, the provider must cease to use ,or convey such information until the necessary correction is made.
The provider cannot, under any circumstance, make it more difficult for users to request withdrawal of consent, access to or correction of personal information, than it is for the provider to collect such information.
If a user has withdrawn the consent to use and convey personal information, the service provider must promptly delete such information if there is no valid reason to maintain it.
Notwithstanding a request to delete, the provider may maintain the information only if other laws ,demand its maintenance or if there remains the need to settle past due service bills.
The service provider must take necessary technological and managerial safeguards to secure the information to ensure it is not lost, stolen, leaked out, altered or damaged.
The provider should keep the number of personal information managers to a minimum.
The service provider should appoint a personal information manager who will safeguard information and deal with complaints from users.
The personal information manager may be elected among the officers, or the heads of departments handling personal information or dealing with complaints from users.
The Information Protection Act prevents a service provider from entering into an international contract which might violate the information protection provisions.
The Ministry of Information and Communication is in charge of establishing information protection policies and implementing the Information Protection Act. The Ministry is also responsible for information and communication networks, as well as the maintenance and supervision of telecommuni-,cations, postal services and related financing.
Therefore, the Ministry could ,order corrections or inflict a penalty upon identified violators, thereby encouraging the industry into using practices respectful of personal information.
The Korea Information Security Agency (KISA) was established as a government sponsored public interest agency in April 1996. The agency’s main duty is to systematically protect information.
KISA shall be engaged in the following:
In particular, KISA has operated the Personal Information Protection Center since April 2000. This center’s purpose is to handle complaints regarding personal information infringements, to conduct surveys and monitor market practices, and to give counsel on personal information protection queries.
The Personal Information Protection Center:
It is contactable at email@example.com/; <www.kisa.or.kr/>; or <www.cyberprivacy.or.kr>.
The Personal Information Dispute Mediation Committee was established in December 2001 to facilitate prompt, convenient and appropriate settlements of disputes that arise from the use of personal information.
The committee is composed of 15 members, appointed or commissioned by the Minister of Information and Communication, ranging from appropriately qualified lawyers, IT engineers, professors, representatives from consumer organisations and businesses. Each member’s term (three years), integrity and expertise is guaranteed by the Information Protection Act.
Dispute mediation proceedings can be initiated by either a data subject or a service provider, and are settled free ,of charge. When an application for mediation is filed with the committee, the committee commences an informal investigation and recommends a settlement prior to the formal mediation.
If both parties fail to agree upon a settlement, the committee starts the mediation proceedings. After hearings, fact finding and examinations by experts, the committee suggests a mediation proposal for an agreement ,by the parties within 60 days from ,the filing of the application.
Within 15 days of the proposal, the involved parties may agree to execute the mediation proposal. Otherwise, each party may file a civil lawsuit ,with the court, and the committee may assist the data subject in the court proceedings. Of course, the parties may go directly to the court without filing ,an application for mediation with the committee.
The Secretariat of the Personal Information Dispute Mediation Committee is set up within KISA and carries out:
It is contactable at firstname.lastname@example.org/; <www.kisa.or.kr/>; or <www.e-privacy.or.kr>.
Investigation by both police and public prosecution authorities will ,occur if the violation of information protection provisions suggests criminal activity.
It should be noted that the Cyber Terror Response Center in the National Police Agency (www.police.go.kr; email@example.com) endeavors to prevent any wrongdoing or misuse of personal information in internet based criminal activities.
In the Supreme Public Prosecutors’ Office, the Internet Crime Investigation Center (dci.sppo.go.kr, icic@icic. sppo.go.kr) devotes itself to stopping hacking and viruses, internet based frauds and personal information infringements.
The Korea Association of Information and Telecommunication (KAIT) is awarding the ‘Privacy Mark’ to internet sites and online businesses which satisfy a stringent criteria in information protection. Its label is reproduced below.
The Privacy Mark is displayed on websites that:
The advantages of the Privacy Mark include:
|−||to cope with ‘netizen’s’ increasing dissatisfaction with spam;|
|−||to improve the internet based business culture and to establish ,a sound email environment; ,and|
|−||to co-ordinate the interests of ,email marketing businesses by developing software or by ,staging a campaign prohibiting spam.|
The purpose of the Act on the Protection of Personal Information Maintained by Public Agencies ,is to secure personal information managed by computers of public agencies.
‘Public institution’ includes any national administrative agency, ,local government, or other public agencies provided by the Presidential Decree. Other public agencies established by the Presidential Decree include schools, government invested institutions, special juristic persons and so on.
‘Personal information’ is defined as the information concerning a living person, including a full name and a resident registration number and so on, by which the individual concerned can be identified (including information by which the individual concerned cannot be identified but can be identified by simple combination with other information).
A data subject may request, in writing, inspection of what already ,has been recorded on the personal information file register as information concerning him or herself. The ,request is to be submitted to the head of the agency in possession (including agencies holding copies of the document).
When the head of the agency in possession receives an inspection request, if there is no justifiable ,reason for refusal he or she shall ,allow the applicant to inspect the managed information within 15 days from the date of receipt of the official request.
A data subject who is able to inspect the managed information regarding him or herself may make a written request to the head of the agency in possession for the correction of the information concerned.
In relation to the correction request of the contents of the information, the head of an agency in possession shall, without delay, investigate and take necessary measures and afterwards notify the results to the concerned person who made the request.
In matters pertaining to a request of inspection and correction, an individual whose rights and benefits have been infringed upon by act or omission done by the head of a public agency may request an administrative appeal under the Administrative Appeals Act.
Any public agency may possess many personal information files which are necessary to properly execute jurisdictional operations. The head of a public agency shall not collect personal information that may noticeably infringe upon the fundamental personal rights of a person such as their ideas and beliefs. Provided that the data subject consents or, in cases when the collection is required by other Acts, this prohibition shall not apply.
Where the head of a public institution needs to possess personal information files, the head of the central administrative agency must notify the Minister of Government Administration and Home Affairs, while other heads of public agencies (schools, government invested institutions, special juristic persons, and so on) must notify the head of related central administrative agencies.
The Minister of Government Administration and Home Affairs or ,the head of the central administrative agency concerned shall make a public announcement of the notices received at least once a year in a publication in the official Gazette.
When managing personal information, the head of a public agency shall devise measures to secure its safety against loss, theft, leakage, forgery or impairment. The head of a public agency shall make efforts to maintain the information so that it is accurate and up to date.
The head of an agency in possession shall not use or transfer information to another agency for purposes other than those of the original collection of the personal information.
An employee or former employee whose duties are or were the managing of personal information, or a person employed by a public agency which is or has been devoted to the operations ,of managed information, may not leak, manage or transfer the information for use by any other person or for improper purposes.
The Minister of Government Administration and Home Affairs may, if it is deemed necessary for the enforcement of the Act, request the submission of data related to the management of personal information to the head of a public agency, and order public officials under his or her control to make an investigation into actual conditions.
For the attainment of the purpose of the Act, the Minister of Government Administration and Home Affairs ,may, if deemed it is necessary, present advice or recommendations to the ,head of the public agency on matters pertaining to the protection of personal information.
When necessary for the protection ,of personal information managed by computer, the head of the central administrative agency concerned may present advice or guidance and inspections, in matters pertaining to the protection of personal information, to national administrative agencies, local governments and other public agencies.
For the deliberation of matters pertaining to the protection of personal information managed by the computer of a public agency, the Deliberation Committee on the Protection of Personal Information (the Committee) was established under the command ,of the Prime Minister.
The Committee deliberates on ,issues falling under any of the following:
In matters pertaining to a request for inspection and correction of managed information, a data subject whose rights and benefits have been infringed upon by an act or omission done by the head of a public agency may request an administrative appeal under the Administrative Appeals Act.
In general, a data subject whose rights have been infringed upon in collection, process, use, and transfer of personal information may request administrative appeal, claim damages and also use the Ombudsman system (the Ombudsman of Korea, at <www.ombudsman.go.kr>).
Dr Chang-Boem Yi and Dr Ki-Jin Ok,,Secretariat of the Personal Information Dispute Mediation Committee, Korea Information Security Agency (KISA).