University of New South Wales Faculty of Law Research Series
Last Updated: 1 August 2012
Korea’s new Act: Asia’s toughest data privacy law
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales
Whon-il Park, Professor of Law, Kyung Hee University, South Korea
This paper is available for download at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983
This paper was published in Privacy Laws &
Business International Report, Issue 117, 1-6, June 2012. This paper may also be
as  UNSWLRS 28.
South Korea’s new Personal Information
Protection Act came into force on 30 September 2011. A six month grace
period in which the Act was not strictly enforced ended on 31 March 2012.
Business commentators describe the Act as the ‘strictest in the
world’, as the Asian law to which most attention should
be paid, and as a
law likely to be enforced. This brief article explains why.
The new Act replaces the existing Public Agency Data Protection Act in whole and in relation to the private sector it replaces in part the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. That Act will continue to provide additional privacy and other obligations on information and communications service providers (ICSPs). Korea’s previous legislation had considerable limitations. In the private sector, its scope was limited to businesses utilising telecommunications services, although it was actively enforced by a novel mediation structure that is being continued under the new legislation. The public sector legislation, administered by Ministry of Public Administration and Safety (MOPAS), covered all public agencies, and included most basic OECD principles, but with few limits on excessive data collection by governments. However, there seems to have been minimal enforcement.
The new Act is therefore a comprehensive Act for the first time, because it covers both public and private sectors, and the whole of the private sector. More than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms. It added many new features to existing strong foundations.
The article identifies seventeen ways in which this Act’s Principles exceed the OECD/APEC standards, including: an independent fifteen member Data Protection Commission (a departure from the Ministry-based enforcement of civil law neighbours Japan and Taiwan); Privacy Compliance Officers required for most businesses and agencies; collective meditation for disputes with widespread small damage; mandatory data breach notification to both affected individuals and to authorities where significant; mandatory Privacy Impact Assessment (PIA) for potentially dangerous public sector systems; and explicit (opt-in) consent required for marketing using a company’s own databases.
The new Act establishes a complex administrative and enforcement structure which involves five parties: (i) The Data Protection Commission (DPC); (ii) The Korea Internet & Security Agency (KISA) and its Personal Data Protection Center (PDPC); (iii) The Personal Information Dispute Mediation Committees (Pico); (iv) The Ministry of Public Administration and Security (MOPAS); and (v) The Korea Communications Commission (KCC). Korea has developed a system unique in the Asia-Pacific of two independent bodies, one for complaint resolution (Pico), serviced by a government agency (KISA/PPDC) and the other (the DPC) for ‘policy matters’ (with its own internal secretariat).