South Korea

Subscribe to South Korea

On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).

Continue Reading South Korea granted adequacy decision

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

On 30 March 2021, the European Commission announced, in a joint statement with South Korea’s data protection authority, the Personal Information Protection Commission (PIPC), the “successful conclusion” of the adequacy talks between the EU and South Korea. Such adequacy decision will enable the free flow of personal data from the EU to South Korea, covering

The Act on the Promotion of Information Communication Network Utilization and Information Protection (“PICNUIA”) has been amended to include potential punitive damages for South Korean businesses that provide services over the internet. From 23 September this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times

Ever since January 2014, when South Korea’s credit card industry lost huge amounts of customer data during a data breach, the South Korean government has been gradually announcing stricter penalties for those who run afoul of data protection rules. The latest amendment to the Personal Information Protection Act (PIPA), Bill No. 15737 (‘Amendment’), published 7 July, is no different and introduces punitive damages and statutory damages into Korea’s data protection legislation.

As a result of the Amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused from the ‘loss, theft, leakage, forgery, alteration or impairment of personal information because of a deliberate act or a serious error’. Consumers may claim statutory damages of up to 3 million Korean won (approx. £1,700). The Amendment also includes increased enforcement powers for the Personal Information Protection Committee, such as recommending policy and system changes, and handling dispute resolution. The Amendment also includes a certification mechanism for compliance with the PIPA.
Continue Reading South Korea introduces further data protection breach penalties to encourage compliance, and issues mobile app guidance

South Korea’s Ministry of Government Administration and Home Affairs issued an amended version of the Standards of Personal Information Security Measures (the ‘Standards’). These Standards seek to close loopholes and inadequacies in the South Korean data protection law, and to counter the growing number of data breaches, especially those arising from use of mobile devices.

In December 2014, the Korea Communications Commission (KCC) released the“Big Data Guidelines for Data Protection” (Guidelines). Aimed at Information and Communications Service Providers (ICSPs), they are designed to prevent the misuse of “publicly available information” to create and exploit new information. The Guidelines expressly permit ICSPs to collect and use “publicly available information”, within

On 27 October 2013, South Korea’s Ministry of Security and Public Administration (MOSPA) announced that beginning 28 November 2013, the government is set to issue certifications to companies that can demonstrate compliance with their duties under the Personal Information Protection Act (PIPA).

Companies will be able to file applications for certification to the National Information