New Report on Limits of “Consent” in South Korea’s Data Protection Law
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI) – as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific” – are publishing a second report in their series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC) – this time focusing on South Korea.
This report provides a detailed overview of relevant laws and regulations in South Korea, including:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The first report focused on the People’s Republic of China and explained how the country’s data protection framework has evolved over the past few years from a consent-centric model to one which provides various alternatives to consent in a GDPR-type model.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
South Korea’s Data Protection Landscape
South Korea’s data protection law is founded on similar principles to those of other major data protection laws internationally stemming from the Fair Information Practice Principles, including lawfulness, purpose specification, purpose limitation, data minimization, data accuracy, and security.
In fact, South Korea is one of the few jurisdictions in Asia Pacific which has received an EU adequacy decision, by which the European Commission determines that the level of personal data protection in a given jurisdiction is “essentially equivalent” to that under the GDPR. In June 2021, the European Commission published its draft adequacy decision for South Korea and transmitted the decision to the European Data Protection Board (EDPB) for consideration.
South Korea’s general law on personal data protection is the Personal Information Protection Act (PIPA), which went into effect on September 30, 2011 with the stated purpose of governing processing and protection of personal data to safeguard the rights and freedoms of individuals. The PIPA is complemented by an enforcement decree, various sector specific laws, including in the credit, telecommunications, and insurance sectors, and guidelines issued by South Korea’s data protection regulator, the Personal Information Protection Commission (PIPC).
The PIPA contains detailed provisions covering the lifecycle of personal data from the time that it is collected until it is deleted. The PIPA provides data subjects with rights over their personal data, including, notably, express rights to be informed and to decide whether and to what extent to consent when their personal data is processed. The PIPA also imposes numerous compliance obligations on data controllers including mandatory obligations to issue a privacy policy, appoint a data protection officer, and notify data subjects in the event of a breach of their personal data, with penalties for non-compliance, including specific offenses for collecting and using personal data without a legal basis, such as consent.
The latest major round of amendments to the PIPA was in 2020. These amendments introduced, among others:
- specific obligations for organizations which provide commercial information and communication services online, including strict obligations to notify users of how their personal data will be processed and obtain users’ consent for processing of personal data, with very limited exceptions;
- new provisions allowing pseudonymized data to be processed without consent for purposes of statistics, research, and public records;
- a general principle that data controllers should endeavor to use anonymized data for processing wherever possible and where it is not possible to achieve the purposes of processing using anonymized data, to use pseudonymized data as much as possible.
- reforms to the structure and powers of PIPC to establish the organization as an independent, centralized data protection authority like its counterparts in the EU.
Role and Status of Consent in South Korea’s Personal Data Protection Law
Since the PIPA took effect in 2011, it has provided several equal legal bases for collecting personal data, including consent but also alternatives to consent where collection of personal data is necessary for:
- executing and performing a contract with the data subject.
- complying with a legal obligation.
- a public institution to carry out its legal duties.
- protecting of a person’s life, body, or property interests from immediate danger, where it is not feasible to obtain consent; and
- fulfillment of a legitimate interest of the data controller, where this interest clearly supersedes the rights and interests of the data subject.
The PIPA’s legal bases are similar to those recognized by other major data protection laws internationally, including, notably, the GDPR. However, the PIPA’s requirements for relying on alternative bases to consent are often stricter than those under GDPR, and there is also less guidance on the circumstance in which organizations can rely on alternative legal bases, compared with guidance on how to obtain consent. Organizations in South Korea therefore tend to rely on consent rather than other legal bases in practice.
If an organization seeks to rely on consent to process personal data, the consent must be explicit, opt-in, and informed. In the latter regard, the PIPA requires the organization to notify the data subject of certain information when seeking consent. This includes the purpose for processing the data, what data will be processed, and the data subject’s right to deny consent. If the data subject refuses to give consent after receiving this information, the controller is prohibited from denying provision of goods or services to the data subject on this basis.
Where personal data has been collected on the basis of consent, the controller may use personal data or disclose it to a third party if this use or disclosure is reasonably related to the original purpose for which the data was collected. If the processing is not reasonably related to this original purpose, then the controller must seek fresh consent. Data subjects also have a right to withdraw consent to processing of their personal data at any time.
Processing personal data without a valid legal basis, failing to provide required notifications, and processing personal data beyond the scope of the purpose of collection are all violations under the PIPA, and there have been several high-profile enforcement cases where penalties were imposed on organizations that failed to comply with the PIPA’s consent requirements. A notable example is ScatterLab, an company whose AI chatbot collected personal information from over 200,000 children under the age of 14 without obtaining parental consent.
Lastly, the PIPA imposes stricter obligations on processing of certain personal data which falls within a category of “sensitive personal information” which if revealed, would constitute a material breach of privacy. This category includes personal data regarding a person’s ideological and religious beliefs, trade union and political party membership, political views, health and genetics, sexual orientation, criminal records, and individual physiological or behavioral profile. Notice and consent are generally required for processing of this class of personal data, with limited exceptions.