Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Chung, Chan-Mo --- "Korea's recent legislation on online data protection" [1999] PrivLawPRpr 46; (1999) 6(3) Privacy Law & Policy Reporter 38

Korea’s recent legislation on online data protection

Principles of data protection in the 1999 Act
Enforcement
No independent watchdog
Endnotes

Korea’s recent legislation on online data protection

Chan-Mo Chung

On 8 February 1999, Korea enacted the Act on the Promotion and Protection of the Information Infrastructure (Reg No 5835) (the 1999 Act). Chapter 4 of the 1999 Act contains provisions on the protection of personal data over the networks (arts 16, 17 and 18), which closely follows the 1980 OECD Privacy Guidelines.[1]

Before the enactment of this legislation, the Korean legal regime of data protection consisted of the following.

• The Act on the Protection of Personal Data Dealt by Public Entities, which has generally applied to the personal data automatically processed by the public sector. Although it has a provision recommending private entities respect the data protection rules, it has no administrative or enforcement mechanism as to the private entities.
• Sector specific rules exist for the private sector such as the Credit Report Protection Act, Real Name Financial Trade and Secrecy Act, Telecommunications Business Act,[2] and the Telecommunications Secrecy Protection Act.

General rules to be applied to the private sector processing of the personal data do not exist. However, the 1999 Act is dealing with an increasingly important part of data compiling in the private sector. This law applies to the telecommunications business operators and others who provide data or facilitate the provision of data over telecommunications networks (the processor). Electronic commerce among other information and communication services is the area at which the provisions are aimed.

Article 19(3) of the 1999 Act also prohibits unsolicited spam mail.

Principles of data protection in the 1999 Act

1. The processor should obtain as little amount of personal data as required for the provision of the services (art 16(1)).
2. Unless data processing is necessary for the execution of a contract and billing for the service provided, consent of data subject for the data processing is required (art 16(2)).
3. Personal data file should be deleted when the processor has already obtained the purpose of data processing

   (art 17(3)).

4. Technical measures should be taken to safeguard the security of data processing (art 16(4)).
5. The purpose of the data processing and the party to whom the data is transferred should be notified to the data subject (art 16(3)).
6. The data subject has the right of access to the personal data about him or her and the right to request correction of any incorrect data (art 18(2)).
7. The processor cannot use the incorrect data challenged by the data subject without correction (art 18(4)).
8. The processor should designate a controller of personal data (art 17(4)).

Enforcement

The privacy provisions of the 1999 Act enter into force on 1 January 2000. Criminal and administrative penalties shall be imposed on those who breach the principles of data protection:

• up to 1 year imprisonment or 10 million won penalty shall be imposed for those who processed personal data beyond the scope of the purpose or transferred to the recipient other than as consented (art 30); and
• up to 5 million won administrative penalties shall be imposed for the violation of other principles of data protection (art 32).

No independent watchdog

The 1999 Act does not establish a Data Commissioner. This reflects the drafters’ intention not to create a

new bureaucratic body. The efficacy of the online data protection provisions, therefore, depends on the data subject’s recognition of its rights and its willingness to exercise them. However, considering the lack of long tradition of the protection of personal data in Korea, it would be advisable to appoint a Data Commissioner to promote voluntary privacy appliance and to review the implementation of the principles of data protection.

Chan-Mo Chung, D Phil, Korea Information Society Development Institute, <cmchung@sunnet.kisdi.re.kr>.

(1) No person shall encroach upon or divulge communication secrecy held by telecommunications business operator.

(2) The one engaged or [who] has been engaged in telecommunication service shall not divulge others’ communication secrets obtained while in office.

(3) When related authorities ask for perusal or submission of documents regarding telecomm-unication service for investigation needs in writing, then telecommunication business operator or the one entrusted with partial treatment of telecomm-unication service under art 12 may accede to [this request].