Financial Crime World

Here’s the article in markdown format:

Personal Information Protection Act (PIPA) in South Korea

==============================

The Personal Information Protection Act (PIPA) is a comprehensive law that regulates the processing of personal information (PI) in South Korea. In this article, we will provide an overview of PIPA, including its application, scope, and key provisions.

Application of PIPA

Extraterritorial Effect

  • PIPA applies to all personal information processed in South Korea, with extraterritorial effect.
  • This means that the processing of PI of Korean individuals is subject to PIPA requirements, regardless of where the processing takes place.

Scope of PIPA

Coverage of Personal Information Processing Activities

  • PIPA covers virtually every kind of use and processing of PI, including:
    • Collection
    • Use
    • Value-added processing
    • Editing
    • Combination
    • Storage
    • Transfer

Key Provisions

Local Representative Requirement

  • Offshore companies that lack a business presence in Korea but process PI of one million or more Korean individuals must appoint a local representative.
  • This requirement is triggered by the number of Korean users, not revenue.

Application to Pseudonymised and Anonymised Data

  • PIPA applies to all categories and types of PI, including pseudonymised data.
  • However, when PI is anonymised (rendered infeasible to reidentify), it is no longer governed by PIPA.

Duties of Owners, Controllers, and Processors

Distinctions between Controllers and Processors

  • There are basic distinctions between controllers (PI handlers) and processors (entrustees) of PI, along with data subjects.
  • The duties of owners, controllers, and processors differ:
    • Owners: responsible for ensuring that their processing of PI complies with PIPA requirements.
    • Controllers: responsible for ensuring that their processing of PI complies with PIPA requirements.
    • Processors: responsible for handling PI in accordance with the instructions of controllers.

Other Laws and Regulations

Specific Protections for Individual Data

  • Other laws and regulations in South Korea provide specific protections for individual credit data, electronic financial transactions, online services, medical records, and health-medical data.