Korea tightens data protection rules

Author: | Published: 23 Feb 2015
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Sky Yang of Bae Kim & Lee outlines recent legislative changes as South Korea finally comes round to tightening its data protection regulations


In 2014, Korea entered into a new era of privacy protection after experiencing one of the biggest data breaches of credit card companies in the country. The breach involved over 100 million items of customers' personal information, including names, resident registration numbers (RRNs), addresses, and credit information.

Subsequent investigations revealed that the data leak was the result of: (i) insufficient data privacy measures and controls under Korean laws and regulations (from a regulatory perspective); and, (ii) data processors' negligence (in particular, financial companies that hold and process a large amount of customers' personal information).

"Korea’s lack of stringent data protection regulations had been under criticism for years"

Korea's lack of stringent data protection regulations had been under criticism for years, but it was not until 2014 that the regulators moved to reform the country's data protection policy by amending the Personal Information Protection Act (PIPA) and the Financial Holding Company Act (FHCA).

The new amendment to the PIPA, which became effective on August 7 2014, included stricter regulation on the processing of RRNs. The amendment has created challenges for many business operators in Korea, including financial firms, which had depended on easy access to customers' personal information in marketing products and businesses. In addition, the FHCA was amended to restrict the sharing of customers' personal information within financial holding groups, which has created challenges for financial firms' sales activities.

These recent changes and developments in the country's data protection regulations are viewed by some market players as overreaching and highly burdensome. However, these developments show that the regulators began to see the need to strengthen protection of customers' information and to prevent the type of misuse and abuse of personal information as experienced in the country in 2014. Further developments and changes are expected to take place in the future.

Changes to RRN processing

Before the PIPA amendment

Unlike in the US, Canada, Sweden or the UK, where the collection and use of personal identification information are permitted only for limited purposes, in Korea RRNs have long been the mostly widely and conveniently used type of personal identification information in every area (including administrative, financial, medical, and other public and private service areas). As such, any information leakage involving RRNs may lead to more serious breaches of other personal, credit or financial information. For this reason, the PIPA categorises RRNs as 'unique identification information' (UII) and provides for more stringent standards RRN protection compared to other types of general personal information.

The PIPA generally prohibits the processing of UII unless: (i) the data subject's explicit consent to such processing has been separately obtained; or (ii) any laws or regulations other than the PIPA require or permit such processing, where the term processing includes collection, creation, recording, saving, holding, modification, editing, searching, retrieving, correction, recovering, usage, provision, disclosure, and destruction.

Before the adoption of the 2014 amendment to the PIPA, the above restriction was also applicable to RRNs. This approach, which regulates RRNs in the same manner as other UII, was under criticism because in practice it was easy to obtain a data subject's consent and as a result many data subjects were exposed to large scale data breaches such as the credit card information leak in 2014.

After the PIPA amendment

Under the 2014 amendment to the PIPA: (i) the processing of RRNs is prohibited regardless of the data subject's consent; and, (ii) the data processor must, within two years of the date of implementation of the 2014 amendment to the PIPA (by August 6 2016), destroy all RRNs collected before August 7 2014, unless certain exceptions apply.

Exceptions include where the processing of RRNs: (i) is required or permitted by any law or regulation other than the PIPA (for example for the purpose of sharing personal credit information it is permitted by the Use and Protection of Credit Information Act); (ii) is necessary to protect the interest of a data subject or a third party concerning their life, physical safety or property (for example in case of emergency patients or criminal victims); or, (iii) is required or permitted by the enforcement regulation promulgated by the Ministry of Security and Public Administration of Korea (the Mospa) in November 2014. The Mospa's enforcement regulation (which is in the form of an amendment to the presidential decrees of various relevant laws governing public services) permits the processing of RRNs where such processing is necessary to facilitate the key administrative services conducted by public authorities and lists other circumstances where the processing of RRNs is permitted.

The above changes apply to all corporations and institutions (both domestic and foreign) in both public and private sectors. The most significant change to the PIPA is that the processing of RRNs is now prohibited regardless of the data subject's consent – a change which is expected to prevent data leakage and misuse of personal information, especially by private-sector data processors.

In fact, it has long been criticised that in Korea individual customers are often required by service providers (such as financial companies) to give consent for the service provider to access all the customer's personal identification information; the customer cannot only select certain information that they are comfortable sharing, and this is a typical requirement of most companies in Korea.

The PIPA only provides a basic framework for the processing of RRNs, and its interpretation and enforcement are subject to the guidelines of the competent authorities, including the Mospa (which is in charge of supervising the enforcement of the PIPA) and the Financial Services Commission of Korea (FSC – which regulates data protection policies with respect to credit or financial information and financial companies).

The Mospa and the FSC provide a three-step approach as follows:

Mospa’s guideline FSC’s guideline
Step 1 General prohibition:
The processing of RRNs is in principle prohibited.
The processing of RRNs is allowed in some laws and regulations (such as the Real Name Financial Transactions and Confidentiality Act).
Step 2 Amend/enact:
An amendment or enactment of relevant laws and regulations is necessary to allow the processing of RRNs only to the minimum extent necessary.
The FSC must amend the relevant laws and regulations (such as the Banking Act, the Use and Protection of Credit Information Act) to allow the processing of RRNs for certain financial businesses (for whom the processing of RRNs is indispensable) and companies.
Step 3 In the long term:
An alternative personal identification (such as i-pin or My-Pin) system must be established.
In the long term:
The FSC must encourage financial companies to develop, establish or use alternative personal identification systems.

With regard to step 2, the FSC's position is that under the Use and Protection of Credit Information Act (Credit Information Act), the collection of RRNs for the purpose of identifying the data subject with certain credit information (as defined in the Credit Information Act) is allowed, despite the changes adopted in the 2014 amendment to the PIPA.

An information processor in violation of the regulations on RRNs is subject to an administrative fine of up to W30 million ($27,000). However, the Mospa granted a compliance period (until February 6 2015) during which no punitive measures will be taken against minor violations.

Outsourcing of data processing

Before the FHCA amendment

The FHCA, before its amendment in 2014, did not impose heavy regulatory burdens on data protection and privacy measures to facilitate efficient data management by financial companies. While the PIPA, the Credit Information Act and the Real Name Financial Transactions and Confidentiality Act (Real Name Act) usually require the data subject's consent for data transfer (either within or outside the holding group), the FHCA alleviates such burden by providing an exception to the consent requirement. Under the FHCA, a financial company, without obtaining the consent of the relevant data subject, is allowed to share the data subject's financial transaction information (as defined in the Real Name Act) and personal credit information (as defined in the Credit Information Act) within its financial holding group for any business purposes (including sales, distribution, and marketing purposes). Other than the purpose test (the requirement for business purposes), there is no other way to effectively restrict or regulate data transfer within a financial holding group.

The above exception, which in practice allowed data sharing among affiliates within each financial holding group, was pointed out as being one of the causes that made financial companies vulnerable to massive data breach cases such as the data leak of credit card firms in 2014.

An interim measure

"These recent changes in the country’s data protection regulations are viewed by some as overreaching and highly burdensome"

To prevent mass data leaks, the Korean government drastically changed its position with respect to group-wide data transfers by proposing an amendment to the FHCA on May 28 2014, which became effective on November 29 2014. In addition, the Financial Supervisory Service of Korea (FSS) issued a Model Business Guideline on May 1 2014, which provided for more stringent regulations on intra-group data transfers, to be effective during the interim period until the implementation date of the 2014 amendment to the FHCA. Under the FSS's supervision, the Model Business Guideline was adopted by most financial holding groups in Korea.

The Model Business Guideline is similar to the 2014 amendment to the FHCA in that it allowed group-wide data transfers without the consent of data subject only for 'internal business management' of the financial holding group. In addition, the Model Business Guideline required individual notification of data transfers to relevant customers at least once a year, and prohibited the use of such transferred data for more than one month unless otherwise approved by the chief information officer (RR).

However, like the FHCA, the Model Business Guideline provided certain exceptions under which group-wide data transfers for business purposes (such as sales or marketing purposes) are allowed. These exceptions are: (i) if the interest or consent of the relevant customer is clearly expected; or, (ii) if the chief information officer (CIO) and the board of directors of the company approve such transfer. This was the most significant difference from the 2014 amendment to the FHCA.

Post-amendment FHCA

The FHCA before its amendment in 2014 allowed intra-group data transfers for any business purposes, while the Model Business Guideline allowed such data transfers only for internal business management purposes subject to certain exceptions.

The 2014 amendment to the FHCA further reduced the scope of permissible data transfers by limiting them to transfers for internal business management purposes only and required that data shared within a financial holding group for business purposes (other than for internal business management purposes) be destroyed by February 28 2015.

Under the amendment to the FHCA, a financial company is allowed to transfer financial transaction information and personal credit information without obtaining the consent of the relevant data subject. However, this is only if such data transfer is necessary for certain internal business management purposes as provided in the amendment, and as set out in the enforcement decree of the FHCA and the FSC's Regulation on Supervision of Financial Holding Company for the following purposes: (i) risk management, internal control or inspection of subsidiaries for the purposes of improving corporate integrity; (ii) product or service development, customer analysis or business delegation for the purposes of creating a group-wide synergy effect; or (iii) distribution of performance or costs between subsidiaries for the purposes of performance management.

"To prevent mass data leaks, the Korean government drastically changed its position with respect to group-wide data transfers"

Most importantly, the amendment excludes from the scope of permissible purposes of data sharing the introduction or solicitation of sale of products or services to customers. The above list is more restrictive than the Model Business Guideline, and is expected to restrict financial holding groups' ability to share customer-related data within the group.

Both the enforcement decree of the FHCA and the FSC's Regulations contain additional details regarding intra-group information transfers.

In addition, the 2014 amendment to the FHCA requires financial holding groups to comply with the following procedures to share data within the group:

  • a notice of data transfer (specifying the transferor, transferee, and the purpose and items of transfer) must be sent to the relevant customer at least once a year;
  • the transferred data may be used (processed) for a maximum of one month, unless otherwise approved by the CIO;
  • the provision of the original documents is prohibited (only copies of such original documents can be shared within the financial holding group);
  • the CIO must review the purpose and period of use, scope of the shared data and authorised persons to use such data;
  • the data shared must be stored or saved in a separate location from the transferee's own customer data;
  • the shared customer data must be codified;
  • the shared data must be destroyed immediately after such data becomes no longer necessary; and
  • the CIO of the financial holding company must comprehensively inspect the data transfer within the group at least once a year, and report the outcome of the inspection to the FSS.

A notable difference from the FHCA before its 2014 amendment is that the 2014 amendment: (a) requires the transferor to notify the relevant customers of the data sharing that took place at least once a year; and (b) limits the period of use of the shared data to a maximum of one month (unless otherwise approved by the CIO).

About the author

Sky Yang
Partner, Bae Kim & Lee

Seoul, Korea
T: 82 2 3404 0143
F: 82 2 3404 7304
E: sky.yang@bkl.co.kr
W: www.bkl.co.kr

Sky Yang has been in the financial regulatory practice for over 20 years, advising various financial companies in Korea. He also handled numerous cross-border transactions in the forms of foreign direct investments, overseas acquisitions, joint ventures and leveraged buyouts. Yang's strength lies in areas of M&A and restructuring of financial institutions such as commercial banks, securities firms, asset management companies and insurance firms. He has represented: domestic and foreign financial companies and institutional investors, including Hana Financial, Shinhan Financial, STX, UBS, PCA, and MassMutual; domestic and foreign private equity funds including Vogo Fund and KKR; government organisations like Korea Deposit Insurance Corporation and Financial Supervisory Commission.

Yang earned an LL.B. from Seoul National University in 1988 and an LL.M. from New York University Law School in 1999. He actively participates in pro bono activities as a member of Financial Supervisory Commission, Ministry of Justice, Korea Exchange, and Korean Bar Association.


The magazine

October/November 2019

Cover story: keeping big tech at bay

Silicon Valley’s superpowers are eyeing up the financial markets. IFLR asks readers how regulators should approach them

International briefings

Quick Poll

Is consolidation a good thing for the EU financial sector?

Women in Business Law Group

IFLR's Wibl networking group provides a platform for inclusive debate around fostering female talent in the profession.

Visit its LinkedIn page to find out more, and IFLR's awards page for details on the annual ceremonies.