South Korea Passes Major Overhaul Of Data Protection Law

• Law Firm: lus Laboris
• Subject Matter: Privacy, Data Protection
• Author: Doil Son (Yulchon LLC), Sun Hee Kim (Yulchon LLC), Seung Jin Heo (Yulchon LLC) and DaYeon Ahn (Yulchon LLC)
• Published date: 21 March 2023

South Korea's amendment to the Personal Information Protection Act ('PIPA') was passed by the National Assembly on 27 February 2023.

The amendment comes more than two years after the Personal Information Protection Commission ('PIPC') proposed the initial draft amendment bill. The amended PIPA will take effect on 15 September 2023.

The amended PIPA aims to give momentum to the growth of Korea's digital economy based on emerging technologies and data, and includes the following key changes:

• strengthening the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making;
• simplifying the application of the PIPA for all data controllers by removing special provisions for online service providers;
• shifting from criminal sanctions towards economic sanctions and
• providing additional grounds for overseas transfer of personal information (similar to EU GDPR's adequacy decision) in addition to the current stringent consent requirement.

Most provisions in the amended PIPA will take effect six months after the promulgation of the law (15 September 2023). However, certain provisions, including the right to object to automated decision-making, will take effect one year later. The right to data portability will take effect on a date to be determined by the Enforcement Decree of the PIPA, which will be issued between one and two years after the promulgation of the law.

Strengthening the rights of data subjects

The amended PIPA enhances the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making.

Right to data portability

The amended PIPA grants data subjects the right to request that their personal information be transmitted to themselves or to a third party who satisfies the security standards to be specified in the Enforcement Decree.

Upon receiving a transmission request, a data controller must ensure that the requested information is transmitted within a reasonable timeframe, at a reasonable cost, and via reasonable means. The data controller may either reject or suspend a transmission request if the identity of the requesting data subject is not confirmed, or if other conditions specified in the Enforcement Decree are met.

The scope of personal information that can be transmitted, the process of requesting transmission, the deadline and method of transmission, the method of revoking a transmission request, the method of rejecting or...