Apr 222016

South Korea Enacts Stricter Penalties for Data Protection Violations by Telecommunications and Online Services Providers

Colleen Theresa Brown, Yuet Ming Tham and Samuel Yim
, , , ,

South Korea has enacted stricter penalties for violations of data protection or privacy requirements by telecommunications and online service providers, including potentially steep damages in the wake of a data breach. The amendment (the “Amendment”) to South Korea’s Act on the Promotion of IT Network Use and Information Protection (“Network Act”) became law on March 22, 2016 and will become effective on September 23, 2016. The Network Act regulates and protects the personal information of individuals (“Information Subjects”) that are collected, used and disclosed by telecommunications and online service providers (“Service Providers.”) Overall, the Amendment provides heavier penalties for violating privacy provisions in the Network Act. The increased penalties and stricter privacy standards are consistent with recent amendments in other Korean privacy laws, such as the Personal Information Protection Act and the Utilization and Protection of Credit Information Act.

Some of the key changes in the Amendment are summarized below.

  • Punitive Damages Provision. Service Providers may be liable for fines amounting to three times actual damages where a Plaintiff/Information Subject can demonstrate that personal information was breached as the result of intentional or gross negligence by the Service Provider (Article 32, Clauses 2 and 3).
  • Forfeiture of Profits. Any profits that a Service Provider gains through privacy-related violations of the Network Act are subject to confiscation and forfeiture (Article 75, Clause 2).
  • 3% Fine of Related Revenue. Service Providers that transfer personal information outside of Korea for access, management and storage abroad (“Overseas Transfer”) must obtain prior consent from the Information Subject. If a Service Provider fails to obtain prior consent, it may be subject to fines of up to three percent of the revenue related to the Overseas Transfer (Article 32, Section 2).
  • Accountability of Senior Officers. For violations of the Network Act by Service Providers, the Korean Communications Commission may also recommend disciplinary action against the chief executive officer or other senior officers of the Service Provider (Article 69, Section 2).

The Amendments represent another step by the Korean government to toughen Korea’s privacy-related laws and regulations, which are already viewed by many to be extremely robust. The Amendment, along with other recent updates to Korean privacy laws, will likely lead to increased data breach litigation and further notable enforcement actions by Korean authorities. Service Providers operating in Korea should consider the increased risks and potential liabilities for data protection violations under the Network Act and consider strengthening compliance programs ahead of the September effective date.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Samuel Yim

samuel.yim@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.