The Introduction of the GDPR and Its Implications in South Korea
The General Data Protection Regulation (hereinafter referred to as the “GDPR”) of the European Union (hereinafter referred to as the “EU”) came into effect on May 25, 2018, replacing the previous Data Protection Directive 95/46/EC (hereinafter referred to as the “DPD”), which had set the minimum standards for processing data in the EU. The GDPR was designed to strengthen and unify data protection requirements across the region, and it has been affecting businesses on a global scale since its introduction.
Companies in South Korea that process information of European citizens are no exception. They must not only abide by the local data regulations but also ensure that they are fully compliant with the GDPR. If the companies fail to comply with the GDPR, they will end up facing various economic, reputational, and commercial consequences. This paper will present an overview of the major changes in the GDPR and discuss the new regulation’s implications in South Korea
The General Data Protection Regulation (hereinafter referred to as the “GDPR”) of the European Union (hereinafter referred to as the “EU”) came into effect on May 25, 2018, replacing the previous Data Protection Directive 95/46/EC (hereinafter referred to as the “DPD”), which had set the minimum standards for processing data in the EU. The GDPR was designed to strengthen and unify data protection requirements across the region.
The new regulation has been affecting businesses on a global scale since its introduction. To be more specific, the GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of their location. Such extended extraterritorial applicability has led many companies around the world to question their “GDPR-readiness” and thus holistically reassess their existing data protection policies and measures.
Companies in South Korea that process information of European citizens are no exception. They must not only abide by the local data regulations but also ensure that they are fully compliant with the GDPR going forward. If the companies fail to comply with the GDPR, they will end up facing various economic, reputational, and commercial consequences. This paper will present an overview of the major changes in the GDPR and discuss the new regulation’s implications in South Korea.
II. An Overview of the Major Changes in the GDPR
- Expanded Definitions of Personal Data and Consent
Under the DPD, personal data included a person’s name, photo, contact information, or any personal identification number (e.g. national identification number, bank account, etc.). Under the GDPR, the scope of personal data has been expanded to include location data, biometric data, and online identifiers such as IP addresses and mobile device identifiers. The list of potential identifying factors has also been expanded to expressly include genetic factors.[i] Also, two new categories, ‘genetic data’ and ‘biometric data’, have been added to the list of special categories of personal data that are considered sensitive and thus prohibited from being processed unless certain conditions are met.[ii]
The definition of ‘consent’ has also been expanded under the GDPR. Previously, under the DPD, the data subject’s consent was defined as “any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.[iii] Under the new regulation, the data subject’s consent must also be “unambiguous”, and it can be given “by a statement or by a clear affirmative action” signifying assent to processing.[iv] Moreover, Article 7 of the GDPR sets out strengthened conditions for valid consent. For instance, if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such declaration which constitutes an infringement of the regulation shall not be binding, and the data subject shall have the right to withdraw his or her consent at any time. Most importantly, the data subject’s consent must be explicit opt-in consent. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.[v]
- Expanded Territorial Scope
The geographical reach of the DPD was rather ambiguous, referring to data processing ‘in context of an establishment’, and silent on the location of processors. The GDPR has clarified and expanded the territorial scope. It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the EU or not.[vi] It also applies to the processing of the personal data of data subjects residing in the EU by a non-EU controller or processor in connection with the offering of goods or services or the monitoring of their behaviour within the EU.[vii]
- Rights of the Data Subject[viii]
Articles 12 through 23 of the GDPR stipulate certain rights of data subjects. The right to restriction of processing, the right to erasure, the right to rectification, the right to access and the right not to be subject to a decision based solely on automated processing, including profiling, have been strengthened, and the “right to data portability” has been newly introduced.
(1) Right to Restriction of Processing
Under the DPD, the data subject could “block” processing of personal data.[ix] Article 18 of the GDPR strengthened this right by specifically conferring the “right to restriction of processing” upon data subjects, detailing the conditions and consequences of the enforcement of this right and the obligations of controllers. For instance, with respect to the conditions under which the right can be exercised, the DPD only mentioned “incomplete or inaccurate nature of data” as grounds for exercising this right. The GDPR, however, provides that the data subject shall have the right to obtain from the controller restriction of processing when (i) the accuracy of the personal data is contested, (ii) the processing is unlawful, (iii) the controller no longer needs the personal data for the purposes of the processing or (iv) the data subject has objected to processing.
(2) Right to Erasure
The right to erasure is also referred to as the “right to be forgotten”. The data subject can request data controllers to erase his or her personal data under certain circumstances. Previously under the DPD, each member state had to guarantee every data subject, as part of the “right of access”, the right to obtain from the controller the erasure of data when processing did not comply with the directive or when data was incomplete or inaccurate.[x] The GDPR has strengthened this right by specifically conferring the “right to erasure” upon data subjects, prescribing the following in detail: the conditions under which the right can be exercised, the conditions under which a request to erasure shall not be granted and the controller’s obligations when personal data has been made public.[xi]
(3) Right to Rectification
Under the DPD, the data subject could obtain from the controller the rectification of data when processing did not comply with the directive or when data was incomplete or inaccurate.[xii] Article 16 of the GDPR has strengthened this right by specifically conferring the “right to rectification” upon data subjects. The data subject now has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data. The data subject shall also have the right to complete incomplete personal data by means of providing a supplementary statement.
(4) Right to Access
The data subject’s right to access information regarding personal data has been strengthened under the GDPR.[xiii] The scope of accessible information has been expanded, and the data subject now has a right to be informed about the safeguards in case of any data transfer to a third country outside the EU. Also, the controller is obligated to provide a copy of data undergoing processing.
(5) Automated Individual Decision-Making, Including Profiling
Article 22(1) provides that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. ‘Automated decision-making’ refers to the process of making a decision by automated means without any human involvement (e.g. an online decision to award a loan)[xiv], and ‘profiling’ means any form of automated processing of personal data that consist of the use of personal data to evaluate certain personal aspects relating to a natural person.[xv]
The purpose of this provision is to protect individuals from automated decisions that can adversely affect their legal rights. The GDPR imposes an obligation on the controller to ensure that the data subject can obtain human intervention, express his point of view and challenge the decisions. It also limits automated decision making when the special categories of personal data are to be processed or when the data subject is a child.
(6) Right to Data Portability
The right to data portability has been newly conferred upon data subjects under the GDPR, giving them more control over their own data. The right entitles the data subject to receive his or her personal data, which he or she has previously provided to a controller, in a structured, commonly used and machine-readable format and transmit such data to another controller without hindrance from the current controller when certain conditions are met.[xvi]
Organization in breach of the GDPR can be fined up to 20 million euros or 4% of their total global turnover of the preceding fiscal year, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements such as not receiving customer consent to process data. For less severe violations such as not having their records in order, the organizations can be fined up to 10 million euros 2% of their total global turnover of the preceding fiscal year, whichever is higher.[xvii]
- Data Protection Officers
Under the GDPR, the controller and the processor must designate a data protection officer in any case where (i) the processing is carried out by a public authority or body, (ii) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or (iii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.[xviii]
III. Implications of the GDPR in South Korea
- South Korea’s Personal Information Protection Act
Personal data protection laws of South Korea are consisted of the Personal Information Protection Act (hereinafter referred to as the “PIPA”) as a general law and several specific sector laws, including but not limited to the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., the Use and Protection of Credit Information Act and the Act on the Protection, Use, etc. of Location Information. The PIPA was enacted on September 30, 2011 with an aim to ensure a high level of protection of personal data and transparent processing by personal information controllers.
The PIPA has often been described as one of the strictest data privacy laws in the world mainly due to its comprehensive application and array of enforcement mechanisms. There is also a view that the PIPA’s strength comes from its central focus on informed consent.[xix] The PIPA applies to any public institution, corporate body, organization, individual, etc. that manages personal information directly or via another person to administer personal information files as part of their duties.
- How Are the GDPR and the PIPA Different[xx]
As analyzed by Korea Internet & Security Agency (KISA), a statutory organization established by the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., a vast majority of the principles of the GDPR is already reflected in the PIPA, but there are also distinct differences between the two regulations as follows.
(1) Territorial Scope
The GDPR expressly states that even non-EU companies must comply with the regulation if their processing activities are related to the offering of goods and services to or behavioral monitoring of data subjects residing in the EU. The PIPA, however, is silent on foreign companies.
(2) Enhancement of Corporate Responsibility
Under the GDPR, the controller and the processor shall designate a data protection officer where (i) the processing is carried out by a public authority or body, (ii) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or (iii) the core activities of the controller or the processor consist of processing on a large scale or of special categories of data or of personal data relating to criminal convictions and offences.[xxi] The data protection officer shall be designated based on professional qualities such as expert knowledge of data protection law and practices, and the ability to fulfil the relevant tasks.[xxii] Under the PIPA, the personal information processor must appoint a chief privacy officer (CPO).[xxiii] Unlike the GDPR, which focuses more on the professional qualities, the PIPA requires chief privacy officers to be appointed from among senior level officials or executives.[xxiv]
Also, the GDPR is much stricter in terms of recordkeeping of processing activities. Each controller must maintain a record of processing activities under its responsibility including the name and contact details of the controller, the purposes of the processing, a description of the categories of data subjects and personal data, transfers of personal data to a third country or an international organization, etc. Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller, containing similar information.[xxv] The PIPA, on the other hand, only requires personal information controller to maintain access logs to counter data breach incidents.[xxvi]
Another difference is the data protection impact assessment. Pursuant to Article 33 of the PIPA, if a probable breach of personal information of data subjects arising out of the operation of personal information files meets the criteria prescribed by the Presidential Decree, public institutions must conduct an assessment to analyze and improve risk factors and submit the results thereof to the Minister of Interior and Safety. The GDPR extends this requirement to private sectors. Pursuant to Article 35(1) of the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, and context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
(3) Enhancement of Rights of Data Subjects
As discussed earlier, the GDPR has vested the “right to data portability” in data subjects, allowing them to request for data transfers to other controllers. Such right is not stipulated under the PIPA. Also, the right not to be subject to a decision based solely on automated processing, including profiling, is guaranteed under the GDPR, but the PIPA has no similar provision.
(4) Transfers of Personal Data to Third Countries or International Organizations
Under the GDPR, any transfer of personal data to a third country or an international organization shall take place only if certain conditions are complied with by the controller and processor. For instance, a transfer of personal data to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.[xxvii] Such a transfer shall not require any specific authorization. Unlike the GDPR, the PIPA, in principle, requires the data subject’s consent for any overseas transfer of personal data, except for providers of information and communications services who may transfer data overseas without consent under certain conditions listed in the Article 63 of the Act on Promotion of Information and Communication Network Utilization and Information Protection.
- What Should Korean Companies Do
Trade in goods and services between the EU and South Korea has expanded significantly since the free trade agreement (FTA). The EU is now South Korea’s third largest export market, and its introduction of the GDPR can directly impact many Korean companies that process the personal data of European customers. In this regard, the government has opened an online portal to provide guidance and information on the EU’s new regulation. It has also urged those companies that process sensitive data of the EU residents (data on health, genetic data, criminal records, etc.) or perform a large-scale monitoring of publicly accessible spaces (e.g. CCTV) to pay special attention to the regulatory requirements to avoid any breach. Foremostly, top managements must understand the importance of the GDPR and how it can affect their entire business and roll out initiatives at the company level.
Korean companies subject to the GDPR must appoint a data protection officer who meets the prescribed qualifications and monitor the status of processing activities within the organization. They must also implement and operate internal controls to respond robustly to the requirements of the GDPR (e.g. procedures for protection of the rights of data subjects). Furthermore, the companies must review the maintenance of personal data, the adequacy of the processing, the procedures for obtaining consent from data subjects, any overseas transfers of personal data, etc. and must rectify any errors or deficiencies that may lead to violations of the GDPR.
The GDPR is considered the biggest breakthrough in the EU’s data privacy history as it gives European citizens more control over their own personal data and clarifies what companies across the EU must do to safeguard the rights of data subjects in a unified manner. From South Korea’s perspective, the extended territorial scope of the GDPR brings Korean companies that offer goods and services to European citizens under its umbrella. The companies are now at risk of facing the adverse consequences of non-compliance if they do not take the changes seriously.
To cope with the new global regulation, it is important for South Korea to obtain a blanket adequacy decision from the European Commission to pave a way for Korean companies to handle European information without further restrictions. The government has been pursuing adequacy talks with the EU for a long time, and if the European Commission concludes that South Korea’s legal system, particularly the PIPA, guarantees an equivalent level of data protection as that of the GDPR, data may flow freely.
The GDPR certainly poses difficult challenges for businesses around the globe, but at the same time, many views that the GDPR can be a catalyst for digital transformation and create an environment for data-driven innovation. With the government and companies working together to meet the “GDPR-centric” standards, it is anticipated that South Korea’s data protection regime will also have positive developments at the dawn of the Fourth Industrial Revolution.
Choi, Kyoungjin, “A Study of the Transborder Flow of Personal Information in International Transactions”, Korea Forum on International Trade and Business, Vol. 2, No. 2, 2017, p. 8.
“EUR-Lex – 32016R0679 – EN”, EUR-Lex, the Publications Office of the EU, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX:02016R0679-20160504
“GDPR vs. Personal Information Protection Act”, Korea Internet & Security Agency, Korea Internet & Security Agency, https://www.kisa.or.kr/business/gdpr/gdpr_tab4.jsp
“General Data Protection Regulation (GDPR) – Final text neatly arranged”, intersoft consulting, intersoft consulting services AG, https://gdpr-info.eu/
Leitner, John, “Data Privacy in South Korea: Can Legislation Transform Protection of Personal Information”, 21 October 21 2016, The Digital Asia Hub, https://www.digitalasiahub.org/2016/10/21/data-privacy-in-south-korea-can-legislation-transform-protection-of-personal-information/;
Ministry of the Interior and Korea Internet & Security Agency, Guidance on “General Data Protection Regulation” for Korean Enterprises, April 2017.
“South Korea – Trade – European Commission”, European Commission – Policies, information and services, European Commission, http://ec.europa.eu/trade/policy/countries-and-regions/countries/south-korea/
“What is automated individual decision-making and profiling?”, ICO, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/automated-decision-making-and-profiling/what-is-automated-individual-decision-making-and-profiling/
[i] Article 3(1) of the GDPR
[ii] Article 3(2) of the GDPR
[iii] Ministry of the Interior and Korea Internet & Security Agency, Guidance on “General Data Protection Regulation” for Korean Enterprises, April 2017.
[iv] Article 12(b) of the DPD
[v] Article 4(1) of the GDPR
[vi] Article 9(1) of the GDPR
[vii] Article 2(h) of the DPD
[viii] Article 4(11) of the GDPR
[ix] Recital 32 of the GDPR
[x] Article 12(b) of the DPD
[xi] Article 17 of the GDPR
[xii] Article 12(b) of the DPD
[xiii] Article 15 of the GDPR
[xiv] “What is automated individual decision-making and profiling?”, ICO, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/automated-decision-making-and-profiling/what-is-automated-individual-decision-making-and-profiling/
[xv] Article 4 of the GDPR
[xvi] Article 20 of the GDPR
[xvii] Article 83 of the GDPR
[xviii] Article 37(1) of the GDPR
[xix] Leitner, John, “Data Privacy in South Korea: Can Legislation Transform Protection of Personal Information”, 21 October 2016, The Digital Asia Hub, https://www.digitalasiahub.org/2016/10/21/data-privacy-in-south-korea-can-legislation-transform-protection-of-personal-information/;
[xx] “GDPR vs. Personal Information Protection Act”, Korea Internet & Security Agency, Korea Internet & Security Agency, https://www.kisa.or.kr/business/gdpr/gdpr_tab4.jsp
[xxi] Article 37(1) of the GDPR
[xxii] Article 37(5) of the GDPR
[xxiii] Article 31 of the PIPA
[xxiv] Article 32 of the Presidential Decree of the PIPA
[xxv] Articles 30(1) and 30(2) of the GDPR
[xxvi] Article 29 of the PIPA
[xxvii] Article 45(1) of the GDPR