The Ministry of Security and Public Administration (the “MSPA”) has the power to enforce the Personal Information Protection Law (the “PIPL”). If the MSPA finds clear basis to support a finding of infringement of personal data and also finds that any non-action in regards to such circumstance may result in damages that may be irrecoverable, the MSPA may order the infringing party to:
- Cease and desist from engaging in the infringing activity;
- Suspend any processing of personal data; and/or
- Take other actions to protect the personal data and to prevent infringement.
Furthermore, if the MSPA finds clear basis to support a finding of criminal activity by a personal data processor resulting from its violation of the PIPL and other laws and regulations on personal data protection, the MSPA may file a criminal complaint with the law enforcement authorities. In addition, the Ministry of Science, ICT and Future Planning (the “MSIFP”) and the Korea Communications Commission (the “KCC”) have the authority to enforce the Law on Promotion of Information and Communications Network Utilization and Information Protection (the “Information Protection Law”). The MSIFP and/or the KCC may (a) issue a document submission order to any person in violation of the Information Protection Law; (b) issue a correction order to such person; or (c) impose an administrative fine on such person. Furthermore, the KCC may file a criminal complaint with the law enforcement authorities for any violation of the Information Protection Law.
Under the PIPL, a data subject that incurs damages due to a violation of the PIPL by a data processor may file a claim against the data processor. In this regard, the data processor may not be exempt from liability unless the data processor shows that it did not engage in intentional misconduct or was not negligent. However, if the data processor shows that it complied with the statutory requirements and was not idle in its duty to exercise due care and control, the liability of the data processor for any loss, theft, unauthorized release, alteration or damages to personal data may be reduced. Under the Information Protection Law, a consumer that incurs damages due to a violation of the Information Protection Law by a service provider may file a claim against the service provider. In this regard, the service provider may not be exempt from liability unless the service provider shows that it did not engage in intentional misconduct or was not negligent.
The PIPL provides different criminal penalties for different types of activities as follows.
- Imprisonment up to 5 years or fine of up to KRW 50 million for:
- Transfer of personal data to a third party without the consent of the relevant data subject (including any original collector of personal data).
- Use or transfer to a third party of personal data without the consent of the relevant data subject.
Processing of sensitive data without separate consent.
2. Imprisonment up to 3 years or fine of up to KRW 30 million for:
- Operating a video imaging equipment for the purpose other than the original purpose of installing the video imaging equipment or aiming the video imaging equipment at another location for such other purpose.
- I Acquiring personal data through deception or other improper means or method
3. Imprisonment up to 2 years or fine of up to KRW 20 million:
- If the personal data in a data processor’s possession is lost, stolen, released without authorization, altered or damaged due to the data processor’s non-compliance with the security requirements.
In this regard, if any officer or employee of a legal entity is subject to the foregoing penalties and the legal entity fails to show that it was not idle in its duty to exercise due care and control to prevent the relevant violations, the legal entity may be subject to a monetary fine. The Information Protection Law provides for similar penalties.
PIPL For lesser violations, such as collecting personal data without the consent of data subject or legal guardian, the MSPA may impose an administrative fine of up to KRW 10 million, KRW 30 million or KRW 50 million for each violation. Information Protection Law The MSIFP and/or the KCC may impose an administrative fine on persons who violate the Information Protection Law. In addition, any dispute in connection with personal data may be referred to the Personal Data Dispute Mediation Commission. Infringement of privacy through the use of information and communications network may be referred to the Defamation Mediation Division.
Selected Enforcement Actions / General Comment
The Korean law enforcement authorities have been more aggressive in their enforcement of the Korean personal data protection laws since the incident from 2014 that involved a large-scale unauthorized disclosure of customer data from credit card companies (in this case, the employee at a credit information company that released the relevant customer data without authorization was sentenced to 3 years in prison). Following the incident, the Korean law enforcement authorities have formed special joint task force teams for investigation of unauthorized disclosure of personal data. Due to this step, there have been many instances of criminal investigation, and the following is a list of some of the more well-known cases.
- Homeplus, a large Korean distribution company, sold the personal information of its customers collected through a raffle event to an insurance company. Homeplus, including its highest-level management, is under investigation by the public prosecutor’s office.
- An employee at a supplier for Samsung Electro-Mechanics has been arrested for stealing the personal information of the former and current officers and employees of Samsung Electro-Mechanics.
- A Korean pharmaceutical software company is under investigation by the public prosecutor’s office for attempting to sell stolen patient medical records (about 700 million items) to a pharmaceutical consulting company (the president of this pharmaceutical software company has been arrested).
- SK Telecom, the largest telecommunications company in Korea, has been indicted (together with some of its employees) for using the personal information of 150,000 of its customers without authorization.