Personal Data Protections Expand in Korea
Mr. Kwang Hyun Ryoo, a partner at the Korean law firm of Bae, Kim & Lee LLC, is reporting in the firm’s newsletter that on March 29, 2011, Korea enacted a comprehensive personal data protection law, entitled Personal Information Protection Act (PIPA). Most of the act's provisions will come into force on September 30, 2011.
According to Mr. Ryoo, the new law extends data protection requirements across a broad spectrum of information processing. Mr. Ryoo notes that whereas the scope of existing data protection statutes is limited to certain entities and types of information, PIPA broadly governs the collection and processing of any personal data, by private and public entities.
Generally, PIPA requires the individual’s informed consent for any collection, use or disclosure of personal information. The law, however, provides for a number of exceptions to the consent requirement. The new law also puts limits on the amount of personal data that individuals may be required to provide.
PIPA applies broadly to "personal information" processed by any entity deemed to be a “handler” of personal information.” PIPA defines “personal information” as any information from which, by itself or combined with other information, an individual can be identified, whether from the individual’s name, identification number, image or other attributes. A “handler” of personal information is any entity, company, government organization, individual or other person that, directly or through a third party, handles personal information for business purposes. PIPA applies to both electronically and manually recorded information.
Remedies for data protection violations include the right to seek class action mediation and litigation.
For detailed analysis of PIPA’s provisions, please refer to Mr. Ryoo’s article.
As more and more countries adopt comprehensive data protection laws that often incorporate EU-like provisions, the compliance equation gets more complicated for companies operating worldwide. Many of these laws share common elements, such as notice, consent, choice, access and data security. You also can find these elements articulated in the Federal Trade Commission's Fair Information Practice Principles. Structuring your company's personal information practices around these elements should help in achieving compliance in the U.S. as well as in foreign jurisdictions.