South Korea’s Data Protection and E-Privacy Laws: An Overview

Data Protection

South Korea has implemented various regulations to protect individuals’ personal information, with a focus on obtaining consent from data subjects. Here are the key points:

• Consent: Explicit consent is required from individuals before processing their personal information.
• Personal Information Managers: Organizations must disclose their privacy policies and obtain consent before collecting, using, or providing personal information.

Consequences of Non-Compliance

• Administrative Fines: Breaches of the Personal Information Protection Act (PIPA) can result in administrative fines up to 3% of the relevant organization’s revenue.
• Imprisonment and Criminal Fines: Violators may face imprisonment up to five years or a criminal fine up to KRW 50 million.

Compensation for Damages

Data subjects can claim compensation for damages, including:

• Statutory Damages: Up to KRW 3 million
• Treble Damages

E-Privacy

E-privacy regulations in South Korea focus on obtaining consent for various online activities. Key points include:

• Cookies: Consent is required for cookies that contain personal information.
• Marketing by Email: Explicit consent is needed before sending commercial emails or messages for marketing purposes.

Exemptions

Commercial information can be sent without consent via email if obtained from a prior sale within six months. In such cases, the title of the email must start with “Gwango” (advertisement).

Enforcement

South Korean authorities actively enforce PIPA regulations and provide alternative dispute resolution options for quicker resolution.

• Fines: The data protection authorities impose fines on organizations that fail to comply with PIPA regulations.
• Alternative Dispute Resolution: Personal information dispute mediation and collective action options are available for quicker resolution.