Financial Crime World

Korea Amends Enforcement Decree for Personal Information Protection Act

Strengthening Data Protection in South Korea

In a move aimed at enhancing data protection and safeguarding individual rights, the Korean government has introduced an amended Enforcement Decree to the country’s Personal Information Protection Act (PIPA). The changes, which came into effect on March 15, 2024, introduce specific rules for automated decision-making and qualification requirements for Chief Privacy Officers (CPOs), as well as insurance requirements.

New Rules for Automated Decision-Making

  • Data subjects have the right to request explanations or reviews of decisions made through fully automated processes.
  • This includes scenarios where the decision significantly affects their rights and obligations.
  • Data controllers are required to provide a concise explanation detailing the criteria and processing procedures that led to the decision.

Data subjects can also refuse automated decisions if they significantly affect their rights and obligations, but only if they have not been informed in advance of the use of such technology. If data controllers have justifiable reasons for denying the exercise of this right, they must provide a clear explanation.

Qualification Requirements for Chief Privacy Officers (CPOs)

  • Data controllers with annual revenue or income exceeding KRW 150 billion and holding sensitive information are required to appoint a CPO with at least four years of experience in personal information protection.
  • This ensures that organizations handling large amounts of sensitive data have qualified professionals overseeing their personal information processing.

Expanded Insurance Requirements

  • Entities subject to the insurance requirement have expanded under the new regulations, including:
    • Online service providers with 10,000 users or more
    • Annual sales of at least KRW 1 billion
  • However, certain entities such as public institutions and small businesses that outsource data processing are exempt from this requirement.

Notable Changes

  • Regular evaluations for unique identification information management status have been reduced from every two years to every three years.
  • Data controllers must disclose specific information in their privacy policies regarding the overseas transfer of personal information.

The amendments aim to enhance data protection and safeguard the rights of individuals in South Korea.