In recent years, South Korea has become synonymous with some of the strictest data protection laws and regulatory requirements in the region. The laws are regulated by the Korea Communications Commission (KCC), the Ministry of the Interior and Safety (MOIS), and other sector-specific supervisory authorities. Recent amendments to these three laws have resulted in stricter penalties, as well as criminal prosecution for data security breaches.
Privacy Officer found guilty of criminal negligence for failing to prevent data security breach
On January 7, 2020, the Seoul Eastern District Court found the privacy officer of a South Korean travel agency guilty of negligence for failing to prevent a 2017 data security breach. The security breach affected over 465,000 agency customers, and roughly 29,000 agency employees. The charge against the company and its privacy officer hinged on the failure to provide appropriate technical and administrative measures, which could have prevented data breaches and facilitated timely notification to the appropriate Korean regulator. The Korean court imposed a penalty of 10 million South Korean Won against the privacy officer, in addition to the 327,250,000 Korean Won imposed against the company by the Ministry of Interior and Safety. Beyond the fines, the Korean Prosecutor’s Office had requested an eight-month prison sentence against the privacy officer, which the Korean court decided not to impose.
Two other similar cases are currently pending against a Korean cryptocurrency company, as well as against a hotel booking application. In both cases, the companies’ privacy officers are being prosecuted for their failure to implement proper technical and administrative measures under the Network Act, in the context of data security breaches.
Stricter requirements for information and communication service providers
Among other notable recent developments in South Korea, the Network Act now makes it mandatory for “information and communications service providers” ̶ both domestic and those located overseas ̶ who meet certain conditions to designate a local agent to handle matters related to personal information and data protection requirements (i.e., privacy officer). “Information and communication service providers” are broadly defined to include any person or entity that provides information or mediates the flow of information through a telecommunication network. This broad definition essentially encompasses all companies that engage in online businesses, and even those that provide information or services (i.e., host a website) through the telecommunication network. While the mandate of having a local privacy officer is not unusual, the potential for civil and criminal liability in Korea for privacy officers has drawn public attention.
Global companies with operations in South Korea should scrutinize current technical and administrative measures for preventing and reporting data security breaches carefully. With penalties of imprisonment of up to two years, and fines of up to 20 million Korean Won, companies and their privacy officers should monitor current practices through effective governance, and continuously seek to enhance security controls and appropriate internal controls.
- Personal Information Protection Act (“PIPA”)
- Use and Protection of Credit Information Act
- Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”)