On April 4, 2024, the Personal Information Protection Commission (PIPC) of South Korea issued the “Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators” (Guidelines). The Guidelines provide comprehensive guidance on how foreign operators can comply with their obligations under the Personal Information Protection Act (PIPA).
The Guidelines are based on the amended PIPA, which was enacted last year. They clarify legal obligations that foreign operators may have overlooked or found difficult to navigate under the amended PIPA. The Guidelines also incorporate insights gained from consultations with relevant experts and feedback gathered during meetings with foreign businesses operating in Korea.
Applicability of PIPA to Foreign Operators
The Guidelines identify three situations in which a foreign operator may be subject to the legal requirements of the PIPA:
- Foreign operators that provide goods or services to data subjects in Korea;
- Foreign operators that engage in personal data processing activities involving data subjects in Korea; and
- Foreign operators that have a local entity in Korea where personal data is processed.
In the first case, the PIPC will determine whether a foreign operator provides goods or services to data subjects in Korea. In doing so, the PIPC will make a holistic assessment of factors such as language, currency, web domain, and other forms and manner in which the goods or services are provided.
Second, even if a foreign operator does not directly provide goods or services to data subjects in Korea, the PIPA may still apply if the operator’s processing of personal information of data subjects in Korea has a direct and substantial impact on them. For example, if a foreign operator collects and discloses the personal information of data subjects in Korea on its website, even though its services are not directly targeted to them, the PIPA will apply because the data processing is deemed to have a substantial impact.
Finally, the PIPA may also apply to a foreign operator that has a local entity in Korea where personal data is processed as part of its global business operations. For instance, if a global service provider designates its Korean entity in its privacy policy as the controller for personal information of data subjects in Korea, the PIPA will apply to the Korean entity. However, if the processing of personal data is unrelated to the activities of the Korean entity, a different conclusion may be reached.
Key Compliance Obligations for Foreign Operators
The Guidelines highlight key compliance obligations for foreign operators under the amended PIPA, which domestic operators must also comply with. These include:
- Obtaining parental consent for children under the age of 14 (Article 22-2)
- Following procedures for cross-border data transfers (Article 28-8)
- Establishing and disclosing a privacy policy (Article 30)
- Promptly notifying and reporting personal data breaches (Article 34)
- Ensuring the rights of data subjects, including access, correction, deletion, etc. (Articles 35 to 38)
The Guidelines require foreign operators to notify the PIPC within 72 hours of becoming aware of a data breach involving data subjects in Korea, and to notify affected data subjects in the same manner as domestic operators. They must provide all available details of the data breach, even if preliminary, when reporting the incident to the authority.
When processing the personal information of data subjects in Korea overseas, the Guidelines emphasize that foreign operators are required to clearly disclose in writing the details of such processing, including the country and name of the overseas entity involved. They also recommend that the privacy policy made available to data subjects in Korea should include all relevant elements required under the PIPA to enhance readability and transparency.
In addition, where a foreign operator with a local entity in Korea is required to designate a domestic representative, the Guidelines advise that it is desirable to designate the Korean entity as the domestic representative.
Next Steps
The PIPC has posted the Guidelines on its website to encourage their active use. An English version of the Guidelines has also been posted on the website and shared with key foreign regulators.
The PIPC emphasized that in the era of global online services, the PIPA applies equally to domestic and foreign operators. It expressed the hope that the Guidelines will help foreign operators to better understand and comply with the legal requirements in Korea to robustly protect the personal information of data subjects.
If you have any questions regarding these developments, please contact Beomsu Kim or Byungchul (BC) Kim in our Seoul office.