Ever since January 2014, when South Korea’s credit card industry lost huge amounts of customer data during a data breach, the South Korean government has been gradually announcing stricter penalties for those who run afoul of data protection rules. The latest amendment to the Personal Information Protection Act (PIPA), Bill No. 15737 (‘Amendment’), published 7 July, is no different and introduces punitive damages and statutory damages into Korea’s data protection legislation.
As a result of the Amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused from the ‘loss, theft, leakage, forgery, alteration or impairment of personal information because of a deliberate act or a serious error’. Consumers may claim statutory damages of up to 3 million Korean won (approx. £1,700). The Amendment also includes increased enforcement powers for the Personal Information Protection Committee, such as recommending policy and system changes, and handling dispute resolution. The Amendment also includes a certification mechanism for compliance with the PIPA.
The expectation is that the Amendment, by allowing damages for data breaches, will lead to a sharp increase in liability lawsuits following personal data breaches. With some organisations holding millions of customers’ data, the enormous potential fine should in turn encourage organisations and others who hold personal data to take greater care to protect personal information. As yet no serious punishments have been handed out, but these recent changes provide further enforcement opportunities to the Korean authorities.
The Amendment will come into force a year after promulgation occurs, but any organisation operating in South Korea should ensure its data protection and privacy systems are up to date and fully operational as soon as possible.
This month, the Korean Communications Commission issued a mobile app guide which it will start enforcing in October. The guide is meant to provide practical information about the collection and use of personal information through mobile apps, app stores and smartphone operating systems, as well as guidance relating to obtaining consent and use of consent settings on mobile apps. The guide is available in Korean only at http://bit.ly/1DI2qKs.