Privacy & Information Security Law Blog

As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.  The implementing rules will be worked out before the law is due to take effect on September 30, 2011.  South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.

According to the South Korean Ministry of Public Administration and Security (the “Ministry”), the data protection requirements of the new law will cover about 3.5 million public and private sector businesses and organizations, with 3 million being covered for the first time.  The comprehensive new law remedies “blind spots” and eliminates redundancies created by the previous patchwork of privacy regulations, and sets standard operating procedures at each stage of handling personal data.  The omnibus privacy law adheres to the established data protection principles regarding requiring prior consent for the collection, use, sharing and disposal of personal data.

According to the Ministry, the legislation will be effective particularly in preventing damage caused by leaked and misused personal data.  Under the new law, covered entities must report incidents of leaked personal data to government privacy and law enforcement authorities and notify affected individuals.  The new law also will require privacy assessments for large database development by public services providers.  In addition, individuals will have improved legal recourse for privacy infringement, such as (1) privacy telephone hotline centers to register data protection complaints; (2) a dispute mediation committee which can seek out-of-court privacy settlements; and (3) the option of filing a class action lawsuit.

The omnibus law will establish a centralized data protection planning and enforcement system in the form of a new presidential committee.  The Ministry has the ultimate responsibility for administering the new law and issuing three-year action plans to execute privacy policy programs.